special meeting of the corporate compliance / privacy and ... › sites › default › files ›...
TRANSCRIPT
A copy of the agenda for the Special Committee Meeting will be posted and distributed at least twenty-four (24) hours prior to the
meeting. In observance of the Americans with Disabilities Act, please notify us at 650-988-7504 prior to the meeting so that we
may provide the agenda in alternative formats or make disability-related modifications and accommodations.
AGENDA Special Meeting of the Corporate Compliance /Privacy and Internal Audit Committee
of the El Camino Hospital Board
Thursday, May 21, 2015, 5:00 – 7:15 p.m.
El Camino Hospital, Conference Room F, ground floor
2500 Grant Road, Mountain View, California
Ramy Houssaini will participate via teleconference from the following address:
46 Rue de la Montagne Saint Genvieve 75005, Paris, France
John Zoglin will participate via teleconference from the following address:
Wyndham New York Hotel, 481 8th Avenue, New York, NY, 10001, US Purpose: The Corporate Compliance/Privacy and Internal Audit Committee is responsible for providing direction for both the
Corporate Compliance and Internal Audit programs at all locations of El Camino Hospital (ECH). Responsibilities include
providing oversight on compliance issues requiring executive-level interaction, assessing physician relationship risk as it relates
to compliance, reviewing HIPAA/Privacy laws as they relate to compliance and directing ECH on compliance strategies. The
Committee also serves as the ad-hoc mobilization team for any external investigations and/or actions. Further, additional
responsibilities include providing direction and oversight to ongoing internal audit activity and determining appropriate
organizational response in order to identify and mitigate organizational risk.
AGENDA ITEM PRESENTED BY
1. CALL TO ORDER/ROLL CALL Dennis Chu, Vice Chair,
Corporate Compliance
Committee
5:00 – 5:01 p.m.
2. POTENTIAL CONFLICT OF
INTEREST DISCLOSURES
Dennis Chu, Vice Chair,
Corporate Compliance
Committee
5:01 – 5:02
3. PUBLIC COMMUNICATION Dennis Chu, Vice Chair,
Corporate Compliance
Committee
5:02 – 5:07
4. REPORT ON BOARD ACTIONS Dennis Chu, Vice Chair,
Corporate Compliance
Committee
5:07 – 5:12
5. CONSENT CALENDAR ITEMS
Any Committee Member may pull an item
for discussion before a motion is made.
Approval:
a. Minutes of Corporate Compliance
Meeting, March 19, 2015
Information:
b. Epic Documents
Dennis Chu, Vice Chair,
Corporate Compliance
Committee
public
comment motion required
5:12 – 5:15
6. ENTERPISE RISK
ASSESSMENT AND MITIGATION
PLAN
ATTACHMENT 6
Mick Zdeblick,
Chief Operating Officermotion for
recommendation required
5:15– 5:45
Agenda: Special Meeting of the El Camino Hospital Corporate Compliance/Privacy and Internal Audit Committee May 21, 2015 Page 2
AGENDA ITEM PRESENTED BY
7. PLAN FOR RESEARCHCOMPLIANCEATTACHMENT 7
Mick Zdeblick, Chief Operating Officer
motion for recommendation required
5:45 – 5:55
8. KEY PERFORMACE INDICATORSSCORECARD AND TRENDS
a. Memo, Scorecard, and Trend Graph
ATTACHMENT 8
Diane Wigglesworth, Compliance/ Privacy Officer
information 5:55 – 6:00
9. NEW ARTICLEa. OIG Practical Guidance For HealthcareGoverning Boards On ComplianceOversightATTACHMENT 9
Diane Wigglesworth, Compliance/ Privacy Officer
information 6:00 – 6:05
10. ADJOURN TO CLOSED SESSION 6:05
11. POTENTIAL CONFLICT OFINTEREST DISCLOSURES
Dennis Chu, Vice Chair, Corporate Compliance Committee
6:05 – 6:07
12. CONSENT CALENDARAny Committee Member may pull an itemfor discussion before a motion is made.
Dennis Chu, Vice Chair, Corporate Compliance Committee
6:07 – 6:15
ApprovalClosed Session Minutes (3/19/15),Govt. Code Section 54957.2;
InformationConference with legal counsel –pending or threatened litigation –Gov’t. Code Section 54956(d)(2)
- Compliance and Privacy Logs - Internal Audit Follow Up
motion required
information
13. Conference with legal counsel – pendingor threatened litigation - Gov’t. CodeSection 54956.9(d)(2).- Discussion on IT Security
Greg Walton, Chief Information Officer
information 6:15 – 6:35
14. Conference with legal counsel – pendingor threatened litigation - Gov’t. CodeSection 54956.9(d)(2).- Report on Internal Audit Activity Programs
Diane Wigglesworth, Compliance/Privacy Officer
information 6:35 – 6:55
15. Health and Safety Code Section 32106(b)for a report involving health care facilitytrade secrets.- Discussion on Pacing Calendar
Dennis Chu, Vice Chair, Corporate Compliance Committee
information 6:55 – 7:00
16. RECONVENE OPEN SESSIONTo report any required disclosures regardingpermissible actions taken during ClosedSession.
Dennis Chu, Vice Chair, Corporate Compliance Committee
7:00
Agenda: Special Meeting of the El Camino Hospital Corporate Compliance/Privacy and Internal Audit Committee May 21, 2015 Page 3
AGENDA ITEM PRESENTED BY
17. STATUS OF FY:15 COMMITTEEGOALSATTACHMENT 17
Dennis Chu, Vice Chair, Corporate Compliance Committee
information 7:00 – 7:05
18. PROPOSED FUTURE FY:16COMMITTEE MEETING DATESATTACHMENT 18
Dennis Chu, Vice Chair, Corporate Compliance Committee
information 7:05 – 7:10
19. COMMITTEE COMMENTS Dennis Chu, Vice Chair, Corporate Compliance Committee
7:10 – 7:15
20. ADJOURNMENT Dennis Chu, Vice Chair, Corporate Compliance Committee
7:15 p.m.
Upcoming Corporate Compliance Committee Meetings: June 10, 2015 (Joint Meeting of ECH Board and Corporate Compliance Committee 5:30 pm)
Draft: Subject to
Compliance Committee
and Board of Directors
Consideration
Minutes of the Open Session
Corporate Compliance, Privacy and Internal Audit Committee Meeting
Thursday, March 19, 2015
El Camino Hospital, 2500 Grant Road, Mountain View, California
Conference Room G
1. Call to Order. The meeting of the Corporate Compliance, Privacy and Internal
Audit Committee (the “Committee”) was called to order by Vice Chair Dennis Chiu at 5:05 p.m.
Silent Roll Call.
Members Present: Dennis Chiu, Wes Alles, Christine Sublett, Sharon Anolik-Shakked,
and Ramy Houssaini (by phone).
Members Absent: John Zoglin
2. Potential Conflict of Interest Disclosures. Vice Chair Dennis Chiu asked if
there were any conflicts of interest on any of the items on the agenda. None was reported.
3. Public Communication. There were none.
4. Report on Board Actions. Diane Wigglesworth indicated that a Report on Board
Actions has been added to the agendas for all Board Committee meetings for the purpose of
reporting back on actions taken by the Hospital Board, especially those that might impact or be of
significant interest to the individual Committees. Vice Chair Chiu stated that there was a
particular red alert Quality issue addressed at the most recent Board meeting that he would report
on in closed session. He also noted that the Board discussed as part of the “Big Dot” focus one or
two Quality issues that Executive Leadership should concentrate on, and it was agreed that
leadership focus should be on patient centered care.
5. Consent Calendar. Vice Chair Chiu asked if anyone wished to remove any
items from the consent calendar. There were no requests to do so.
Motion: To approve the Minutes of January 15, 2015.
Movant: Sublett
Second: Anolik-Shakked
Ayes: Chiu, Alles, Sublett, Anolik-Shakked
Ayes by phone: Houssaini
Noes: None
Abstentions: None
Absent: Zoglin
Recused: None
Open Session Minutes: Corporate Compliance, Privacy
and Internal Audit Committee
March 19, 2015
Page 2
Enterprise Risk Assessment and Hospital Action Plan. Mick Zdeblick, COO, introduced
Michael Kearney, Partner and Jacqi Fifield, Senior Manager from Deloitte, the organization
chosen by the Committee to assist ECH in developing an Enterprise Risk Management program.
As part of this process, the Committee requested Deloitte conduct an enterprise wide risk
assessment. Based on executive and board interviews, Deloitte has identified a list of the top ten
internally focused risks to ECH (risk descriptions are contained in the Deloitte Assessment
presentation).
The risk assessment findings appear consistent with what the executive leadership team has
discussed during the year and also leverages the topics discussed at the most recent Board retreat.
Management is in the process of better understanding this assessment and evaluating
prioritization. The Committee is also interested in how this internally focused assessment will be
modified as our external views of enterprise risk are developed. The external view will be
developed when an off-site workshop is conducted in April at the Deloitte Greenhouse Lab in
San Jose. The initial top four risks addressed in a response by leadership were Physician
Strategy, Shift in Payor Mix, Pace of Change and Strategic Priorities. Once the external Lab
assessment is conducted in April with executive leadership the Committee will review
management’s re-prioritization of the most impactful identified risks. The next step will be to
work with Deloitte to develop a complete ERM program approach.
Discussion points included:
Understanding that the biggest risk of all is how the organization responds to an
unexpected crisis.
Integrate an ERM program into existing process. Goal is to identify what is in place, what
needs to be added, and determine the incremental steps needed to put into place actions to
address significant risk. The action plan doesn’t need to be metric driven.
Considering risk presented by our competitors.
The ERM program is Management’s responsibility, and the Board should provide
oversight of Managements process. Management and Board must be in alignment on risk
tolerance levels, and the Board has indicated a desire to know more about risk that would
have the most significant impact to brand or revenue, the Executive Leadership Team
will work with the Board to develop and receive reports annually.
Mick Zdeblick briefly introduced the X-box tool, a key strategic tool for assisting in addressing
internal risk.
As suggested by Ms. Wigglesworth at this time, it was agreed that the Committee would delay a
motion on the current Managements action plan submitted to the committee to a later date, when
the external assessment of the risk assessment has been completed and management has then
reviewed and reprioritized the top four risks again.
Representatives from Deloitte left the meeting at 6:00 p.m.
Open Session Minutes: Corporate Compliance, Privacy
and Internal Audit Committee
March 19, 2015
Page 3
6. Review of Committee Charter. No changes to the Charter were recommended.
No motion was taken.
7. Review of FY16 Committee Goals. A draft of the FY16 Corporate
Compliance/Privacy and Audit Committee Goals was reviewed. Following some discussion,
Members Anolik-Shakked and Houssaini both indicated they would like to see a quarterly
review of Enterprise Risk Management reporting tools and plan for continuous monitoring.
Member Anolik-Shakked recommended that the wording for Metrics of Success Achieved for
that goal be modified. Review of Enterprise Risk Management reporting tools and plans for
continuous monitoring is changed to read “committee reviews ERM reporting tools and
monitoring plan quarterly and then recommends a final version to the Hospital Board for
approval by March 2016.”
Motion: To approve all goals with the changes in wording as described for metrics of
success achieved for Enterprise Risk Management reporting tools and plan for continuous
monitoring.
Movant: Anolik-Shakked
Second: Sublett
Ayes: Chiu, Alles, Sublett, Anolik-Shakked
Ayes by phone: Houssaini
Noes: None
Abstentions: None
Absent: Zoglin
Recused: None
Motion passed
Representatives from Deloitte left the meeting at 6:35 p.m.
8. Key Performance Indicators Scorecard and Trends. Ms. Wigglesworth
reviewed the metrics for February activity along with YTD Information. She reported that
numbers of compliance or privacy investigations have remained consistent over the last few
months. The organization has experienced only a few reportable breaches over the last few
months and the reportable privacy breaches to CDPH are trending down significantly compared
from the previous fiscal year. Due to some patient complaints there has been a slight increase in
the number of CDPH visits to the hospital in February. The hospital is awaiting the CDPH
reports from those visits, the statements of deficiencies that were issued were related to previous
year’s self-reported events by the hospital.
9. New Articles. Articles on EHR audits and the Anthem data breach were presented
and briefly discussed.
Open Session Minutes: Corporate Compliance, Privacy
and Internal Audit Committee
March 19, 2015
Page 4
10. Adjourn to Closed Session.
Motion: To move to close session at 6:15pm pursuant to Gov’t Code section 54957.2 to
consider and approve the consent calendar; pursuant to Gov’t Code Section 54956.9(d)
(2) for two conferences with legal counsel regarding IT Security and government audit
programs; and pursuant to Health and Safety Code Section 32106(b) for a report on the
pacing plan.
Movant: Sublett
Second: Anolik-Shakked
Ayes: Chiu, Alles, Sublett, Anolik-Shakked
Ayes by phone: Houssaini
Noes: None
Abstentions: None
Absent: Zoglin
Recused: None
Mr. Zdeblick left the meeting at 6:15 p.m.
11. Agenda Item 17 – Reconvene Open Session. Vice Chair Chiu reported that the
following actions were taken in closed session:
A. Motion to approve Consent Calendar items (Closed Session Minutes of January
15, 2015 meeting, the Compliance Activity Log (January - February 2015), and
Internal Audit Follow Up Table) were adopted by a unanimous vote of the
Members present (Chiu, Alles, Sublett, Anolik-Shakked, and Houssaini [by
phone].)
B. Motion to approve The FY15 Physician Arrangements Report was adopted by a
unanimous vote of the Members present (Chiu, Alles, Sublett, Anolik-Shakked,
and Houssaini [by phone].)
Motion: To adjourn to Open Session at 6:45 p.m.
Movant: Sublett
Second: Anolik-Shakked
Ayes: Alles, Chiu, Sublett, Anolik-Shakked
Ayes by phone: Houssaini
Noes: None
Abstentions: None
Absent: Zoglin
Recused: None
Motion passed
Open Session Minutes: Corporate Compliance, Privacy
and Internal Audit Committee
March 19, 2015
Page 5
12. Agenda Item 18 – Status of FY15 Committee Goals and Development of FY16
Goals. Ms. Wigglesworth indicated that at the next meeting the committee would review the
Hospital risk mitigation plan for research compliance and an updated action plan based on the
revised enterprise-wide risk assessment that will be prepared in April to include external risks.
The committee’s review of both items will complete the committee goals for the fiscal year.
13. Agenda Item 19 – Committee Comments. Member Alles commented on his
concerns that the Deloitte risk assessment report may have been overstated, however it did make
him realize he has not been aware of some of the risks they brought attention to. It was pointed
out that we have had, up until now, primarily an inward focus on risk vs.an outward focus.
External risks were defined as things such as clinical programs, market issues such as the growth
of PAMF and Stanford, and ACA expansion of Medical. Ms. Wigglesworth expressed her
extreme appreciation to all the advisors on the Committee who continually provided
recommendation that have improved the compliance program over the last two years and look
forward to their ongoing support.
14. Agenda Item 20 – Adjournment.
Motion: To adjourn the meeting at 6:55 p.m.
Movant: Anolik-Shakked
Second: Alles
Ayes: Chiu, Alles, Sublett, Anolik-Shakked
Ayes by phone: Houssaini
Noes: None
Abstentions: None
Absent: Zoglin
Recused: None
Motion passed
Attest as to the approval of the
foregoing minutes by the Governance
Committee and by the Board of
Directors of El Camino Hospital:
__________________________ ______________________________
John Zoglin, Chair Dennis Chiu
ECH Corporate Compliance ECH Board Secretary
Privacy and Internal Audit Committee
DATE: May 12, 2015 TO: Corporate Compliance/Privacy and Internal Audit Committee FROM: Susan Bukunt, Sr. Director iCare Operations Champion SUBJECT: Epic Documents BOARD ACTION: Possible Motion: That the Committee recommends that the Board
approve the Proposed Epic Documents
iCare Link: This new system gives us the ability to offer other organizations that have a relationship with a patient access to the patient medical record in a secured environment. iCare Link is a free web-based portal that will allow providers in physician offices, community clinics, and after-care facilities associated with the patient to view an online version of the patient's care within our organization. iCare Link will replace our current tool for sharing patient information, Pro Access. This tool can help organizations provide:
Transparent flow of information between physicians and other care providers. Streamlined process for external physicians to place referrals and orders to your
organization. Secure access to select patient information in our iCare data repository
eliminating the need for faxing of document
In order to enroll these organizations and be ready for the November go-live we will need signed indemnity agreements and applications back to us by August 28, 2015. The following iCare Link documents have been created to support enrolling organizations:
iCare Link Indemnity Agreement
iCare Link Terms and Conditions Access Agreement
iCare Link practice enrollment
MyCare: MyChart which we have renamed MyCare, is Epic’s patient portal, a customizable web application that gives patients easy access to their medical records.
Offering MyCare to patients can help strengthen the relationships they have with clinicians at our organization and give patient’s tools they can use to become better invested in their own health. The following are just some of the things patients can do using MyCare :
Schedule appointments
View and graph lab results
Request medication refills
Send messages to their physicians
View their children’s medical records
Pay bills
Patients will be required to sign a Terms & Agreement document when they log on attesting to appropriate use of the portal. Adults may grant access of their record to another person and parents may access their child record within the limitations of State laws. The following MyCare documents have been created to support patient portal access:
Terms and Conditions of MyCare
My Care Proxy Policy
My Care Adult Proxy Form
My Care Child Proxy Form
Care Everywhere: Care Everywhere Epic's interoperability platform, which can be used to exchange patient data with other healthcare institutions using Epic. Today, organizations are using Care Everywhere to exchange over eight million patient charts monthly. Care Everywhere helps us make sure that clinicians have the information they need to treat patients, both for planned transitions of care, such as referrals, and unplanned transitions of care, such as visits to the emergency department.
transition or visit such as, a scheduled procedure or test the system sends a query to other Epic organizations requesting patient clinical information. During an unplanned visit, user requests information from another organization. The information from the other system is brought into Epic at the point of care and is available locally within a clinician's workflow. After receiving the patient's information, physicians can review it and reconcile any discrete problems, allergies, and medications
retrieved by Care Everywhere with information in the patient’s iCare chart. Reconciled data becomes a permanent part of the patient’s chart and is used to drive clinical decision support. The following Care Everywhere documents have been created to support information received and requested from other organizations:
Care Everywhere Authorization
Revision to policy 1.10 release of patient information
El Camino Hospital iCare Link User Agreement
This El Camino Hospital iCare Link User Agreement ("Agreement") is made and entered into as of this _day of
_____________ 20___, or the date of last signature below, whichever is later, by and among ______________________________________________________________("Practice ") whose address is _____________________________________________________ and telephone contact:
__________________________________ ,and El Camino Hospital (“ECH”).
RECITALS:
WHEREAS, Practice is currently involved in the care and treatment of patients who have received care or treatment at El Camino Hospital, WHEREAS, the parties wish to state the terms and conditions under which Practice will be given access to a secure electronic database of El Camino Hospital owned patient information by which the Practice may obtain information regarding Practice patients' care and treatment at El Camino Hospital which is needed by Practice to provide further care to its patients. NOW, THEREFORE, in consideration of the mutual promises herein contained, El Camino Hospital and Practice agree as follows:
ARTICLE I
Section 1.1. The Program. El Camino Hospital maintains a secure electronic database of confidential patient information owned by El Camino Hospital, including but not limited to clinical and hospital treatment records, physician notes, laboratory and imaging records, patient demographic information, insurance and third-party payer information and other information regarding El Camino Hospital patients and proprietary information. This aforementioned information and the ICare Link software shall be collectively referred to as the "Program". El Camino Hospital reserves the right to modify or discontinue the Program or Practice's access to the Program or terminate this Agreement at any time for any reason. Section 1.2. Grant of Limited Use. Practice is granted the right to access the Program for the following sole and
limited purpose: Practice may obtain health information about care or treatment received by Practice's patients from El Camino Hospital which is necessary for Practice's current treatment of the patient for whom the information is sought. All other use of the Program is strictly prohibited. Any other patient information sought by Practice shall be obtained upon the patient's written authorization under standard patient information release practices and procedures of El Camino Hospital (depending upon records sought), and California law. Practice's access to the Program is subject to audit and review at any time by El Camino Hospital. Section 1.3. No Maintenance or Support to Program. No technical or administrative support shall be provided to Practice relative to its use of the Program.
ARTICLE II
Section 2.1. Practice Access. Program access is managed by the El Camino Hospital IT Security and Access Management Team ("IT Security Team"). Practice shall identify users whom it shall authorize to access the Program on its behalf ("User") under this Agreement and submit to El Camino Hospital an ICare Link Access Request Form for each User which Practice identifies on an Access Request Form submitted to El Camino Hospital.
Page I of 5
Page 2 of 5
A confidential User ID and temporary password shall then be assigned to each User, by which such User may access the Program for the limited purposes stated in Section 1.2 herein. Section 2.2. Sharing of Passwords Prohibited. Practice shall protect the confidentiality of User IDs and passwords consistent with the requirements detailed in the attached Terms and Conditions of use and the Health Insurance Portability and Accountability Act of 1996 as amended (HIPAA) and shall not divulge such confidential IDs and/or passwords to any other persons. Practice shall be responsible for use of the password issued to its designated Users. Section 2.3. Notification of Compromised Password. In the event that a password assigned to a User is compromised or disclosed to a person other than the User, the Practice shall upon learning of the compromised password, immediately notify the El Camino Hospital IT Security Team (as set forth in Article VI, Section 6.3) so actions can be taken to limit access by that password and to issue a new password to the Practice User. Also see
notification required under Article IV, Section 4.3. Section 2.4. Practice Notification of Termination of Employment and Other Events Ending An Employee's Need
to Access the Program. Practice shall immediately notify the El Camino Hospital IT Security Team (as set forth in
Article VI, Section 6.3) in the event any Practice User ceases to be employed by or associated with the Practice,
experiences a change in job function such that User no longer requires access to the Program, or for any other reason that the Practice choses to no longer provide such person access to the Program on its behalf. Unless and
until the El Camino Hospital IT Security Team receives such notification, Practice shall remain responsible for
such User's actions in accessing the Program and using the information obtained thereunder. Section 2.5. Practice Training Requirement. Practice shall provide annual training to its Users on issues related to information security and patient confidentiality. Practice shall maintain written records evidencing such annual training and provide copies upon request to El Camino Hospital.
ARTICLE Ill
Section 3.1. Ownership. No rights to the Program or patient information contained therein are transferred to the Practice under this Agreement. Section 3.2. Accessing, Using, and Disclosing PHI.
a. Practice may only make paper copies of Program medical records which are necessary and essential for the sole purpose of the Practice's diagnosis, evaluation and treatment of a current patient. Such copies shall be maintained, protected and destroyed in the same manner as the Practice maintains, protects and destroys the medical records of Practice's patients.
b. Practice shall not use or disclose any medical records obtained from the Program for any purpose other than the diagnosis, evaluation, treatment a current patient and except as otherwise permitted in this
Agreement and as set forth in Article IV, Section 4.1 of this Agreement.
c. Practice may not make electronic copies of medical records or other documents contained in the Program.
d. Practice shall not rewrite or otherwise alter, destroy, circumvent or sabotage the Program or the electronic medical records and documents stored and maintained in the Program.
e. Practice shall not access, use or disclose any information contained in the Program for any purpose with the intent to negatively impact the competitive advantage of El Camino Hospital in the marketplace.
Page 3 of 5
ARTICLE IV
Section 4.1. Medical Records Confidential. The parties recognize that the medical records maintained in the
Program are subject to various state and federal privacy laws and regulations including but not limited to HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH), and the California Confidentiality of Medical Records Information Act of 1981 pursuant to which El Camino Hospital and Practice are under an obligation to maintain the confidentiality of such records. Practice shall not disclose information from such records except to: a) other physicians and personnel under the direction of Practice who are participating in the treatment of the respective patients; b) entities involved in the payment or collection of fees for medical services rendered by Practice, provided that the patient in question has consented to such disclosure; c) to other persons or entities as to whom such disclosure is required by law; d) upon obtaining the patient's written consent. Practice may release paper copies of documents obtained from the Program that are maintained with Practice's own medical record of the patient. Section 4.2. Indemnification. Practice shall indemnify and defend and hold El Camino Hospital harmless from and against all claims, demands, suits, judgments, costs and expenses (including reasonable attorney's fees and court costs), if any, that may be made or taken against El Camino Hospital or incurred by El Camino Hospital as a result of a breach of this Agreement by Practice, its employees or agents and/or the acts or omissions of Practice, its employees or agents, including but not limited to any unauthorized access, use or disclosure of any Program information (which includes protected patient health information as defined in HIPAA ("PHI")) by Practice or Users or through passwords issued to Users. Section 4.3. Unauthorized Access, Use or Disclosure. If the Practice discovers an unauthorized access, use or
disclosure of PHI by Practice, any Practice User or as a result of a compromised ID & password issued to a User,
Practice shall as soon as possible but not later than two (2) calendar days following the discovery of such unauthorized acquisition, access, use or disclosure of PHI notify El Camino Hospital by telephone and in writing at
the telephone numbers and addresses set forth in Article VI, Section 6.3. Practice shall be considered to have
discovered such unauthorized activity as of the first day on which the unauthorized activity is known or, by exercising reasonable diligence, would have been known to the Practice. Such notice shall include identification of each individual whose unsecured PHI has been, or is reasonably believed by the Practice to have been accessed, acquired, or disclosed during such unauthorized activity. If El Camino Hospital determines the unauthorized activity by Practice or its agent or employee qualifies as a Breach (hereinafter defined) that triggers the HITECH breach notification requirements, then Practice will reimburse El Camino Hospital for all costs incurred by it related to notifying individuals affected by such Breach of the Breach. El Camino Hospital, at its sole discretion, shall make
the determination of whether or not the definition of "Breach" as set forth in the HITECH Act, 45 CFR §164.402, has been met. In addition, it shall be incumbent upon Practice to institute appropriate disciplinary actions against the agent(s) and or employee(s) responsible for the Breach. Upon request from El Camino Hospital, Practice shall provide evidence to El Camino Hospital of any disciplinary actions taken. In addition to disciplinary actions taken by Practice, El Camino Hospital may, at its sole discretion, and without prejudice to any of its rights against Practice as a result thereof, terminate this Agreement and terminate the access of Practice. Practice agrees to promptly and fully cooperate with El Camino Hospital in any investigation of suspected breach of patient confidentiality. Section 4.4. Additional Legal Remedies for Prohibited Acts. Should Practice or any contractor, agent, employee or Practice User access, use or disclose any data, patient information or other information stored or maintained in the Program for any purpose not authorized in this Agreement, El Camino Hospital may unilaterally and immediately terminate the access to the Program by Practice and seek such legal and/or equitable relief as each party deems appropriate.
ARTICLE V
Disclaimer of Warranties. EL CAMINO HOSPITAL MAKES NO REPRESENTATION, WARRANTY OR GUARANTY, EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR PARTICULAR PURPOSE WITH REGARD TO THE PROGRAM SUPPLIED TO PRACTICE PURSUANT TO THIS AGREEMENT. SHOULD THE PROGRAM FAIL OR BE
Page 4 of 5
INACCURATE, UNDER NO CIRCUMSTANCES SHALL EL CAMINO HOSPITAL BE LIABLE FOR ANY LOSS OF PROFITS TO PRACTICE OR FOR SPECIAL, CONSEQUENTIAL, EXEMPLARY OR ANY OTHER DAMAGES (ALL OF WHICH ARE HEREBY EXPRESSLY WAIVED BY PRACTICE AS PART OF THE CONSIDERATION FOR THIS AGREEMENT), EVEN IF EL CAMINO HOSPITAL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
ARTICLE VI
Section 6.1. No Assignment. Practice may not assign this Agreement. Section 6.2. Fees and Expenses. If El Camino Hospital brings any action at law or in equity, or pursues arbitration or mediation to enforce its rights under this Agreement or arising from access granted under this Agreement, it shall be entitled to reasonable attorney's fees, costs and expenses, in addition to any other remedy or relief to which such party may be entitled. Section 6.3. Notice
Notice referenced under this agreement shall be as follows:
Section 6.4. Termination. All privacy and confidentiality obligations established under this Agreement shall survive termination of this Agreement or access permitted under it.
Section 6.5. Entire Agreement, Governing Law, Jurisdiction, and Venue. This Agreement constitutes the complete understanding among the parties and incorporates all prior understandings among the parties on the subject of access to the Program. There are no promises or agreements, either oral or written, among the parties on this subject other than as set forth herein. No modification of this Agreement shall be binding unless the same is in writing and signed by the respective parties hereto. This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to conflict of law principles. Each party consents to submit to the exclusive jurisdiction and venue of the federal and state courts within the State of California, County of Santa Clara and each party hereby consents to personal jurisdiction in such forum, for any action, suits or proceedings arising out of or relating to this Agreement.
Section 6.6. Signature Authority for Practice. . The individual executing this Agreement for and on behalf of Practice/Organization represents and warrants that (a) he or she has the actual authority to enter into this Agreement on behalf of the Practice/Organization, and (b) he or she is acting within the scope of his or her authority to enter into and execute the Agreement for and on behalf the Practice/Organization.
[Signature Page Follows]
For Report of potential privacy breaches/unauthorized use of the Program or patient information:
El Camino Hospital Privacy Officer
2500 Grant Road
Mountain View, CA 94040
650-940-7032
For Program use authorization and termination; password assignment, revocation or compromised password:
IT Security Team
650-962-5808
Page 5 of 5
El Camino Hospital ICare Link User Agreement - Signature Page
PRACTICE:
By:
Signature/Authorized Legal Representative Date__________________________________ Printed Name:
El Camino Hospital: By: ___________________________ Date __________________________ ______________________________ Printed Name
Page 1 of 2
Terms & Conditions
of El Camino Hospital Epic CareLink Use
The privacy of a patient’s health and other confidential information is a right protected by
law and enforced by fines and criminal penalties. Safeguarding patient information is a
fundamental obligation for all persons accessing it. Your clicking on “I AGREE” at the
end of this statement will commit you to that obligation, and WILL be used as proof that
you understand and agree to the stated basic duties and facts regarding privacy and
protection of patient information.
Read it carefully.
Clicking on “I AGREE” indicates the following:
1. I agree to protect the privacy and security of patient information accessed through El
Camino Hospital EpicCareLink at all times.
2. I agree to a) access patient information to the minimum extent necessary for my assigned
duties and b) disclose such information only to persons authorized to receive it.
3. I agree that I understand the following:
a. EL CAMINO HOSPITAL (ECH) tracks all user IDs used to access EpicCare Link. Those
IDs enable discovery of inappropriate access to patient records.
b. Inappropriate access and/or unauthorized release of patient information will result in a
report to authorities charged with professional licensing, enforcement of privacy laws and
prosecution of criminal acts. I further understand and agree that inappropriate access and/or
unauthorized release of patient information may result in temporary and/or permanent
termination of my access to El Camino Hospital EpicCareLink.
c. That I will be assigned a User ID & a one-time use activation code. I agree to
immediately select and enter a new password known only to me. I understand I may change my
password at any time, and will do so based on El Camino Hospital EpicCareLink policy and/or
when prompted. I understand that I am to be the only individual using and in possession of my
confidential password. I am aware that the User ID and password are equivalent to my signature.
Also, I am aware that I am responsible for any use of El Camino Hospital EpicCare Link
utilizing my User ID and password. This includes data entered, viewed, printed or otherwise
manipulated. If I have reason to believe that my password has been compromised, I will report
this information to El Camino Hospital’s IT Security Team and I will also immediately change
my password. I understand that User IDs cannot be shared. Inappropriate use of my ID
(whether by me or anyone else) is my responsibility and exposes me to severe consequences.
Page 2 of 2
4. I understand that patient information includes but is not limited to:
Any individually identifiable information in possession or derived from a provider of health care
regarding a patient's medical history, mental, or physical condition or treatment, as well as the
patients and/or their family members records, test results, conversations, research records and
financial information. (Note: this information is defined in HIPAA as “protected health
information.”) Examples include, but are not limited to:
- Physical medical and psychiatric records including paper, photo, video, diagnostic
and therapeutic reports, laboratory and pathology samples;
- Patient insurance and billing records;
- Centralized and/or department based computerized patient data and alphanumeric
radio pager messages;
Page 1 of 2
Please complete the following form reading all directions where available to initiate enrolling your practice in iCare Link.
The directions contain specific information essential to expedite your enrollment. You will also be required to sign an
Indemnity Agreement to complete your enrollment. Thank you.
Section I: Practice Information:
Practice Name: ___________________________________________________________________________
Physician Name: (Last, First) ____________________ Physician NPI: ____________
Physician Specialty: ___________Physician Email: _____________________Physician Mobile: ____________
Office Phone: ___________________ Fax: _______________ Backline Phone: _________________________
Street Address ________________________ City: __________________State: __________ Zip: ___________
Office Manager Name: _____________Phone: ___________Office Manager mobile: _________
Office Manager Email: _____________________________________________________________
Number of Physicians, Nurse Practitioners and/or Physician Assistants_______________________
Number of Non-Provider Staff to be trained: _________________________________
Mailing address and/or additional office location addresses, other than primary location, if applicable:
___________________________________________________________________________________
Section 2: Electronic Medical Record (EMR) Status and Information:
We currently use an EMR. EMR Vendor & Version: _____________________________________________
We have chosen an EMR. EMR Vendor & Version: ____________________________Install Date: _______
We are in the process of choosing an EMR Vendor We do not plan to implement an EMR system
Member of IPECH Member of IPECH and signed up for ECW
___________________________________________________________________________________
Section 3: PC Operating System Information:
MD Computer Operating System___________________ Office Computer Operating System________________
iCare Link Enrollment Form
Page 2 of 2
Section 4: Practice Providers: Please complete the following for each provider. All fields are required
Provider Name
M.I. Provider Last Name
Degree Specialty NPI Email Address (Required)
John M Example MD Int. Med. 0000012345 [email protected]
Section 5: Staff Users: Please list all Staff members (non-providers) requesting access to ProAccess
Staff First Name M.I. Staff Last Name Title Email Address (Required)
Ex: Jane K Doe Medical Assistant [email protected]
Section 6: User Administrator: Each practice must designate a candidate to be certified as the iCare Link User
Administrator. This person must be approved by the physician(s) of record. Please complete the following for the
User Administrator designee for your practice.
Name: _________________________________ Title: ____________________________________
Email: _________________________________________________________________________________
The section below must be completed by the provider signatory of record for this organization.
Provider Designation of User Administrator
I understand El Camino Hospital requires each organization to designate a person to be certified as the iCare Link User
Administrator who will be responsible for managing user accounts and ensuring privacy and security compliance. I
hereby designate the individual named in Section 6 as the iCare Link User Administrator for my organization.
Provider Signature: ___________________________________ Title: _____________________________________
Printed Name: ________________________________ Date: _____________________________________
1
EL CAMINO HOSPITAL
My Care Terms & Conditions By agreeing to these terms and conditions, I acknowledge that I am requesting El Camino Hospital to release my personal health information, including test results to my online personal health record and to grant me access to my online personal health record, including the ability to communicate with my health care team concerning my health information via the internet using the El Camino Hospital application, MyCare. I understand that my medical clinicians are prohibited by California law from releasing certain test results to me electronically and consequently I may not be able to access all of my health information online in MyCare. I understand that El Camino Hospital reserves the right to limit or discontinue my use of MyCare if I do not abide by these terms and conditions or at the sole discretion of El Camino Hospital.
Privacy and Security Policy El Camino Hospital considers the privacy of your health information to be one of the most important elements in our relationship with you. Our responsibility to maintain the confidentially of your health information is one that we take very seriously. The following notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review carefully: http://www.elcaminohospitalservices
Summary of Requirements
E-Messaging should never be used for urgent maters.
A valid and functional e-mail address must be provided.
Online ID and password should not be shared with anyone. Use of El Camino Hospital's MyCare is for accessing an individual’s health information or authorized access to health information of someone in my care.
Use of MyCare I understand that El Camino Hospital’s MyCare should never be used for urgent matters. I acknowledge the anticipated turnaround time for response to electronic messages is 1 to 2 business days. For all urgent matters that I believe may immediately affect my health or well-being, I will, without delay, contact my clinician by telephone, and/or go to the emergency department of a local hospital, and/or dial 911.
2
I understand that my health care team may send me secure e-Messages via MyCare. These messages may contain information that is important to my health and medical care. It is my responsibility to monitor these messages. By entering my valid and functional email address, I have enabled El Camino Hospital to notify me of messages sent to my inbox. I understand that maintaining my current email contact information with El Camino Hospital’s MyCare is my responsibility and I will update my email address on MyCare as needed. I agree to not upload any attachments which violate any copyright laws, international or otherwise, or attach images which depict pornography or any material deemed in any manner illegal or unauthorized by state or federal laws or regulations and are not related to my own personal clinical care except for those for which I have legal proxy access. This agreement shall be construed in accordance with, and shall be governed by, the procedural and substantive laws of the State of California.
Online ID and Password I understand that I must create a unique MyCare Identification (ID) code and password to be used to access my health information. Inquiries and entries that I make will be logged with my identity. I understand that it is extremely important that I keep my MyChart ID and password completely confidential. If at any time I feel that the confidentiality of my password has been compromised, I will change it by going to the Password link on the website. I understand that El Camino Hospital takes no responsibility for and disclaims any and all liability or consequential damages arising from a breach of heath record confidentiality resulting from sharing or losing my password. If El Camino Hospital discovers that I have inappropriately shared my password with another person or that I have misused or abused MyCare privileges in any way, my participation in MyCare may be discontinued by El Camino Hospital without prior notice. I understand that I must not share my MyChart ID and/or Password with any other website, party, or vendor (for example, a mobile app or website that collects and displays health information). In doing so, I hold myself accountable for any interaction this has between MyCare and the 3rd party and do not hold El Camino Hospital liable for my personal information and/or patient information that is accessed by the 3rd party and what they do with this information.
Verification of Identity I understand that my enrollment is contingent on verification of my identity either in person or by comparing my signature provided on the Release of Information form with my signature in my health record.
Deactivation of My Account I understand that MyCare may be deactivated upon my request or at the discretion of El Camino Hospital for failure to meet these Terms and Conditions.
3
Disclaimer I understand that MyCare may not be available to me at all times due to unanticipated system failures, back-up procedures, maintenance, or other causes beyond the control of El Camino Hospital. Access is provided on an “as-is as-available” basis and El Camino Hospital does not guarantee that I will be able to access MyCare at all times. During times when MyCare is unavailable, other communication methods (e.g., telephone) should be used to contact El Camino Hospital or my clinician. I understand that El Camino Hospital takes no responsibility for and disclaims any and all liability arising from any inaccuracies or defects in software, communication lines, the virtual private network, the Internet or my Internet Service Provider (ISP), access system, computer hardware , or any other service or device that I used to access MyCare.
EL CAMINO HOSPITAL HEALTH INFORMATION MANAGEMENT SERVICES
POLICIES AND PROCEDURES
x.xx MyCare: Proxy Access
A. Coverage:
El Camino Hospital Personnel B. Reviewed/Revised: 02/15 C. Policy Summary:
All patient information is considered confidential. Information that identifies or potentially identifies a patient, or information about a specific patient, will not be disclosed unless authorized by law or by the patient / legal guardian.
This procedure ensures confidentiality of patient information and allows for limited information to be accessed by the patient's legal guardian or designated patient proxy via MyChart.
D. Procedure for requesting Adult Proxy access of Minor patient:
1. Parent, legal guardian or conservator can request Proxy access to a
minor's chart by completing a MyCare Child Proxy access form.
2. El Camino Hospital will validate the parent, legal guardian or conservatorship relationship of the minor patient.
3. Once validated and approved, a MyCare account will be created for proxy
use.
4. Limited access is granted based on the minor's age due to state and federal patient privacy regulations.
5. Proxy access of a minor patient will terminate when the minor patient turns
18 years of age.
Health Information Management Services Policies and Procedures
1.10 Emergency Release of Patient Information Page 2 of 2
E. Procedure for requesting Adult Proxy access of Adult patient:
1. A patient 18 years of age and older can designate a proxy by completing a MyCare Adult proxy form and a MyChart: Adult proxy release of protected health information authorization.
2. El Camino hospital will validate the patient's request and authorization.
3. Once validated and approved, a MyCare account will be created for proxy use.
4. The Authorization for Release of Protected Health Information is valid for
10 years from the date of patient signature unless otherwise specified. Proxy access will expire on the specified date of expiration if not renewed.
F. References:
California Hospital Association Consent Manual, 2013
2500 Grant Road, Mountain View, CA 94040-4378
Telephone: (650)988-7462 │Fax: (650)988-8246
DRAFT Patient Label
MyChart: Adult Proxy Request Form
To request access to the MyChart record of an adult patient whose medical care you help manage, please complete this form. Both the patient and proxy representative must sign this form. In addition, the patient must authorize the release of records via MyChart by completing the authorization for "Adult Proxy Release of Information Authorization" form
Patient Information:
Patient Name:
Address:
City:
State: Zip:
Date of Birth:
Proxy Information:
Representative Name:
Address:
City:
State: Zip:
Phone:
Date of Birth:
Email address:
Your relationship to patient*:
Durable Power of Attorney Conservator Other:____________________ *Legal documents may be required to validate relationship, e.g., birth certificate, guardianship/ conservatorship appointment, durable power of attorney
2500 Grant Road, Mountain View, CA 94040-4378
Telephone: (650)988-7462 │Fax: (650)988-8246
DRAFT Patient Label
MyChart Terms and Conditions:
I understand that:
MyChart is intended as a secure online source of confidential medical information. If I share my MyChart ID and password with another person, that person may be able to view my or my child's health information, and health information about someone who has authorized me as a MyChart proxy.
It is my responsibility to select a confidential password, to maintain my password in a secure manner, and to change my password if I believe it may have been compromised in any way.
MyChart contains selected, limited medical information from a patient's medical record and does not reflect the complete contents of the medical record.
My activities within MyChart may be tracked by computer audit and that entries that I make may become part of the patient's medical record.
MyChart is provided by El Camino Hospital as a convenience to its patients. El Camino Hospital has the right to deactivate access to MyChart at any time for any reason.
MyChart is voluntary and I am not required to use MyChart or to authorize a MyChart proxy.
The authorization form may be revoked in writing at any time, except to the extent that the information has already been accessed. I must submit my revocation to El Camino Hospital.
Mail completed form to: El Camino Hospital - OR - Fax to: 650-988-8246 Attention: HIM Dept. (Medical Records) 2500 Grant Road Mountain View, CA 94040
By signing below, I acknowledge that I have read and understand the requirements for designating the person named above as my MyChart Proxy, thereby allowing them access to my MyChart medical record. __________________________________________________ _______________________ Signature of Patient or Healthcare Representative Date If signed by someone other than the patient, state your legal relationship to the patient: __________________________________________________ Relationship
OFFICE USE ONLY: Patient relationship verified by:________
Proxy access approved:
Yes No
Activation Letter Sent :
Yes No Date Sent:___________
2500 Grant Road, Mountain View, CA 94040-4378
Telephone: (650)988-7462 │Fax: (650)988-8246
DRAFT Patient Label
MyChart: Child Proxy Request Form
I hereby request El Camino Hospital (ECH) to provide access to the health information of the minor child listed below via MyChart. Please note the following age range limitations for MyChart. These age range limitations do not affect any legal right you have to access your child's record by other means. To request a paper copy of your child's record, please contact the HIM Department at 650-988-7462
If your child is age 0 – 11: You will be granted full access to your child's MyChart record.
If your child is age 12 – 17: You will be granted partial access to your child's MyChart record.
Once your child reaches age 18, you will no longer have access to your child's MyChart account unless the patient signs an adult proxy.
Patient Information:
Patient Name:
Address:
City:
State: Zip:
Date of Birth:
Proxy Information:
Your Name:
Address:
City:
State: Zip:
Phone:
Date of Birth:
Email address:
Your relationship to child*: Parent Legal Guardian Conservator Stepparent
*Legal documents may be required to validate relationship, e.g., birth certificate, guardianship/ conservatorship appointment
2500 Grant Road, Mountain View, CA 94040-4378
Telephone: (650)988-7462 │Fax: (650)988-8246
DRAFT Patient Label
MyChart Terms and Conditions:
I understand that:
MyChart is intended as a secure online source of confidential medical information. If I share my MyChart ID and password with another person, that person may be able to view my or my child's health information, and health information about someone who has authorized me as a MyChart proxy.
It is my responsibility to select a confidential password, to maintain my password in a secure manner, and to change my password if I believe it may have been compromised in any way.
MyChart contains selected, limited medical information from a patient's medical record and does not reflect the complete contents of the medical record.
My activities within MyChart may be tracked by computer audit and that entries that I make may become part of the patient's medical record.
MyChart is provided by El Camino Hospital as a convenience to its patients. El Camino Hospital has the right to deactivate access to MyChart at any time for any reason.
MyChart is voluntary and I am not required to use MyChart or to authorize a MyChart proxy.
The authorization form may be revoked in writing at any time, except to the extent that the information has already been accessed. I must submit my revocation to El Camino Hospital.
Mail completed form to: El Camino Hospital - OR - Fax to: 650-988-8246 Attention: HIM Dept. (Medical Records) 2500 Grant Road Mountain View, CA 94040
By signing below, I acknowledge that I have read and understand the requirements for accessing my child's medical record information online. I certify that I am the birth parent or legal guardian of the child listed above and that all information I have provided is correct. __________________________________________________ _______________________ Signature of Parent / Legal Guardian Date
OFFICE USE ONLY: Patient relationship verified by:________
Proxy access approved:
Yes No
Activation Letter Sent :
Yes No Date Sent:___________
2500 Grant Road, Mountain View, CA 94040-4378
Telephone: (650)988-7462 │Fax: (650)988-8246
DRAFT Patient Label
iCare: CareEverywhere Authorization to Access Protected Health Information
Patient's Name:_______________________________________________________ Date of Birth: ______/____/______ Telephone: ____________________________
I authorize the following facility to access my El Camino Hospital (ECH) protected health information for treatment purposes:
Facility Name:
Address 1:
Address 2:
City: State: Zip:
Information Released:
I understand that the information to be released will include all information available in my electronic medical record and may include information relating to the diagnosis and/or treatment of mental illness, alcohol/drug abuse, AIDS, HIV test results, developmental disabilities, sexually transmitted diseases and genetic testing.
Expiration of Authorization:
Unless otherwise revoked, this authorization expires 1 year from the date of signature or as specified:______________________
Notice of Patient Rights:
I understand that: ● This authorization may be revoked in writing at any time, except to the extent that the information has already been accessed. I must submit my revocation to ECH.
● I may refuse to sign this authorization. Treatment, payment, enrollment, or eligibility for benefits will not be conditional upon this authorization being signed. ● Information released based on this authorization could be re-released by the recipient and may no longer be protected by federal law. However, California law prohibits the person receiving health information from further release without authorization unless required or permitted by law. ● I have a right to receive a copy of this authorization.
_____________________________________ ________________________
Patient Signature
Date
If signed by someone other than patient, indicate legal relationship (e.g. legal guardian):___________________________________________________________
EL CAMINO HOSPITAL
HEALTH INFORMATION MANAGEMENT SERVICES
POLICIES AND PROCEDURES
1.10 Release of Patient Information for Treatment purposes [via fax, mail or secure health
information exchange.]
A. Coverage:
El Camino Hospital Health Information Management
B. Reviewed/Revised:
3/06, 03/08, 3/09, 5/10, 6/13, 01/15
C. Policy Summary:
All patient information is considered confidential. Information that identifies or
potentially identifies a patient, or information about a specific patient, will not be
disclosed unless authorized by law, patient, or when a clear medical emergency exists.
This procedure ensures confidentiality of patient information and allows information
needed for medical treatment purposes to be disclosed via fax, or secure electronic health
information exchange.
D. Procedure for release of records to a treating provider via fax or mail:
1. Records may be released to other medical facilities or healthcare professionals
upon receipt of a patient authorization or written request from the treating provider.
2. The patient authorization or written request can be faxed to Health Information
Management Services or the treating unit. Please note: After normal HIM business
hours, the Hospital Supervisor will respond to urgent release of information requests.
3. The request must be written on the requesting entities letterhead or fax coversheet,
must be addressed to El Camino Hospital and must contain the following:
a. Facility requesting the information, including their telephone number and
fax number.
b. Name of the physician treating the patient, if available.
c. Name of patient, date of birth, and information needed. The request must
be specific with regards to records and dates of services needed.
Formatted: Justified
Formatted: Justified, Indent: Left: 1",Numbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0.25" + Indent at: 0.5"
Formatted: Justified, Indent: Left: 1.5"
Formatted: Justified, Indent: Left: 1",Numbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0.25" + Indent at: 0.5"
Formatted: Indent: Left: 1"
Formatted: Indent: Left: 1", Numbered +Level: 1 + Numbering Style: 1, 2, 3, … + Startat: 1 + Alignment: Left + Aligned at: 0.25" +Indent at: 0.5"
Formatted: Indent: Left: 1.75"
Formatted: Numbered + Level: 4 +Numbering Style: a, b, c, … + Start at: 1 +Alignment: Left + Aligned at: 1.75" + Indentat: 2"
Health Information Management Services Policies and Procedures
1.10 Release of Patient Information for treatment purposes Page 2 of 2
4. 5. Health Information Management Services staff or treating unit will disclose only
information necessary for the continued treatment of the patient. For urgent requests,
patient information will be faxed to the treating provider. For non-urgent requests,
patient information will be mailed to the treating provider.
5. 6. Requests for releases of information will be filed in the legal medical record
which includes the following information:
a. Written request
b. IInformation disclosed.
c. Fax confirmation sheet.
E. Procedure for release of records to a treating provider via Care Everywhere:
El Camino hospital will routinely share a patient's protected health information for
continuity of care purposes to a treating facility. Protected health information will be
accessed by the treating facility via secure health information exchange in accordance
with El Camino Hospital's Notice of Privacy Practices.
El Camino Hospital will require that a patient authorization be obtained by the treating
facility prior to Behavioral Health records being accessed. Patient health information will
not be released via CareEverywhere if a patient has requested exemption from the secure
electronic health information exchange. This exemption will be documented in the
patient's legal medical record.
F. Procedure for release of records via EpicCare link:
Referring physicians who are not on ECH medical staff and who have signed an
EpicCare link access agreement will have the ability to view mutual electronic patient
healthpatient health information via a secure link on a mutual patient. A recorded
relationship between the patient and provider must be documented in the patient's legal
medical record before a provider can access the information.
Patient information will not be released via EpicCare link if a patient has requested
exemption from the secure health information exchange. This exemption will be
documented in the patient's legal medical record.
Formatted: Indent: Left: 0.75"
Formatted: Indent: Left: 1", Numbered +Level: 1 + Numbering Style: 1, 2, 3, … + Startat: 1 + Alignment: Left + Aligned at: 0.25" +Indent at: 0.5"
Formatted: Indent: Left: 1"
Formatted: Indent: Left: 1", Numbered +Level: 1 + Numbering Style: 1, 2, 3, … + Startat: 1 + Alignment: Left + Aligned at: 0.25" +Indent at: 0.5"
Formatted: Numbered + Level: 1 +Numbering Style: a, b, c, … + Start at: 1 +Alignment: Left + Aligned at: 1.75" + Indentat: 2"
Formatted: Indent: Left: 1"
Formatted: Indent: Left: 1"
Formatted: Indent: Left: 1"
Formatted: Indent: Left: 0.75", First line: 0.25"
Formatted: Indent: Left: 1"
2 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
Contents
ERM Capabilities and Approach 3
ERM Program Assessment Results 5
Enterprise Risk Assessment Results 8
Appendix A: Interview List 10
Appendix B: Healthcare Trends 12
Appendix C: ERM Program Assessment Results - Detail 17
3 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
The summary provides the highlights of the ERM journey and next steps. Enterprise Risk Journey
3
Begin to Build sustainable ERM
program Assessed ERM program and
capabilities and recommended next steps
Identified top risks What’s next? Conducted Enterprise Risk Assessment:
• Identified key risks from internalEl Camino perspective
• Identified key risks from externalperspective - healthcaredisruptions and trends
• Prioritized key risks and identified3 top risks
• Identify sponsors of top 3 risks to develop anddrive risk response strategies
• Develop objective criteria to monitor and evaluateprogress addressing top 3 risks
• Risk owners develop and implement risk responseaction plans
• Sustain ERM program – enhance/develop ERMprogram, report on progress addressing top risks,and identify/escalate potential top risks on ongoingbasis
4 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
Below is a summary of the project approach and outcomes.
ERM Project Approach - Overview
Sustainable ERM Program
ERM is an on-going, sustainable process:
Interviews
• Gathered potential risks fromDeloitte subject matterspecialists
• Conducted 14 interviews withboard and executivemanagement to gather internalperspectives on top risks andERM capabilities
Strategic Risk Lab
• Discussed emerging trends that areshaping the healthcare industry
• Identified key risks associated withthe trends
• Prioritized risks based on interviewsand emerging trends
Outcomes
• Identification of top 3 enterpriserisks and drivers
• Proposed recommendations andnext steps for building ERMprogram
Identify risks
Assess risks
Prioritize risks
Assign risk owners / develop risk response
Monitor and report
6 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
During the interviews a number of consistent messages were communicated about ERM expectations and potential limitations of success.
ERM Program Assessment - What We Heard
Strong dependency on single partner may cause uncertainty around risk prioritization
ERM should raise awareness of significant risks to El Camino’s business
Board and executive leadership team do not fully understand importance of ERM in healthcare
Highest risks should be escalated to the board
Executive team and board should have robust risk discussions on a regular basis
Challenge in consolidating and tracking risks related to large number of independent physicians
Development of guiding risk principles can raise risk awareness and assign risk responsibility
ERM should facilitate proactive monitoring and communication on effectiveness and progress of key risk mitigation plans
Lack of accountability and ownership of risks exist
Market pressure on margins may limit reallocation of resources to key risks
7 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
1. Board receives reports regarding certain riskmanagement activities (e.g. compliance, financial,internal audit); however, the most significant risksare not consistently escalated and discussed withthe board.
2. Full board and Corporate Compliance Committeedo not receive a single, enterprise-wide report onkey risks to the organization and how they’remanaged.
3. Executive Advisory Committee (EAC) has variedknowledge on level of acceptable risk for ElCamino; board and EAC have not agreed on anacceptable level of risk.
4. Currently, departmental and organizationalperformance dashboards are used to informallyidentify and monitor certain risks (not key risks).
5. The organization does not currently have anefficient, standardized, and understood process toidentify, assess and manage prioritized keyenterprise risks.
6. Training on ERM overview planned for executiveteam and board
1. Develop a Management Risk Committee, consistingof key EAC members and key risk owners, that willoversee and manage key risks and ERM processand program; develop risk committee charter.
2. Clearly define risk roles and responsibilities for board,corporate compliance committee, EAC, ERM leader,management risk committee, and risk owners (e.g.oversight, management, monitoring, and reporting).
3. Educate EAC, management risk committee, and riskowners on risk management roles andresponsibilities.
4. Establish and clearly define corporate risk appetite /thresholds. Obtain approval from the board on therisk appetite to help executives allocate capital andresources and focus on El Camino’s most impactfulrisks.
5. Establish ERM framework to include risk governance,strategy, business and operating models, data,analytics, and technology.
6. Standardize ERM processes to identify, assess,prioritize, respond to, monitor, and report on keyrisks.
Current state and proposed recommendations for developing an ERM program at El Camino
ERM Program Assessment - Executive Summary
Current State of ERM Capabilities at El Camino Proposed Recommendations
8 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
Three top enterprise risks and associated drivers were identified through internal interviews and consideration of external emerging healthcare trends during a half-day Lab with executives (healthcare trends are described in Appendix B). Enterprise risks and drivers are interdependent requiring collaborative development and implementation of risk mitigation and response plans.
Risk Assessment - Top 3 Enterprise Risks
Business Model El Camino Hospital is not positioned to compete or thrive in
the evolving healthcare market
Limited scale and geography
Limited bandwidth
and resources
Physician Strategy
& Alignment Long-term viability of current physician
strategy
Strategy Execution Inefficient and / or
ineffective implementation of the
strategy
Key Risk #1
Long-term viability of
current physician strategy
Competing strategic priorities
Decrease in reimbursement
rates due to shift in payor mix
Mid-long term capital plan overlooks
opportunities of changing healthcare
environment
Lack of diversification in portfolio of
services
Independent physician
network make executing initiatives difficult
Key Risk #3
Key Risk #2 New and
existing competitors continue to
innovate at rapid pace
Tenuous PAMF
agreement / ownership by competition
Drivers
Linkages
9 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
Risk Assessment - Enterprise Risk Definitions
Risk Risk Description
Business Model
• As new and existing competitors continue to rapidly innovate in the quicklyevolving healthcare market, El Camino is not positioned to compete and thrivebecause its business model does not (1) address its limited scale andgeographical reach, (2) include a diversified portfolio of services, (3) have a viablelong term physician strategy
• Funding of El Camino’s business model overlooks potential opportunities tocompete and thrive: (1) mid to long term capital plan does not address limitedscale, geographical reach or diversified portfolio, and (2) drop in reimbursementrates due to shifting payor mix is not considered
Strategy Execution
• El Camino may not efficiently or effectively execute its strategy because (1)strategic priorities may not be well defined resulting in too many initiatives andoverlapping responsibilities and (2) people and/or resources are limited
Physician Strategy & Alignment
• Physician strategy and infrastructure (1) may place El Camino at risk of losing halfof its admissions if Sutter (a large competitor) decides Palo Alto MedicalFoundation (PAMF) should no longer partner with El Camino, and (2) relies on anindependent physician network that is disparate and creates difficulty in rolling outnew initiatives and systems, like EPIC
El Camino’s 3 enterprise risks as presented on slide 8 are described below.
11 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
Listed below are the people interviewed during the ERM capability and enterprise risk assessment.
List of Interview Participants
Name Title
Neil Cohen, MD Chair of the El Camino Board of Directors
Tomi Ryba Chief Executive Officer
Kathryn Fisk Chief of Human Resources
Matt Harris Controller
Iftikhar Hussain Chief Financial Officer
Richard Katzman Chief Strategy Officer
Ken King Chief Administrative Services Officer
H. Malik Chief Information Security Officer
Eric Pifer Chief Medical Officer
Cheryl Reinking Chief Nursing Officer
Diane Wigglesworth Chief Compliance Officer
Greg Walton Chief Information Officer
Mick Zdeblick Chief Operating Officer
John Zoglin Chair of the Board Compliance Committee
13 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
Eight potential healthcare trends were considered in identifying strategic risks to El Camino and are described over the next 3 slides.
Healthcare Trends
14 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
Healthcare Trends (continued)
15 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
Healthcare Trends (continued)
16 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
Healthcare Trends (continued)
18 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
Current capabilities and enhancement opportunities Strategy
Key Capabilities Currently in Place or Being Enhanced Proposed Recommendations Strategy
• Risk appetite has not been formally defined orestablished by the board and EAC has varied knowledgeon level of acceptable risk for El Camino
• Working with the third party to conduct enterprise riskassessment to identify key risks that can limit or enhanceEl Camino’s ability to achieve its strategies
• New and emerging risks and disruptions in externalenvironment are not currently factored into businessstrategy and competitive advantage; Strategic Risk Labto discuss potential disruptions and associated strategicrisks is scheduled for April
1. Risk Appetite:
- Educate board and executive leadership team onvalue and process for developing a corporate risk appetite
- Establish and clearly define corporate risk appetite / thresholds to help enable risk decisions at the right levels. Obtain approval from the board on the risk appetite to providing high-level direction to EAC on addressing risks and allocating capital and resources
2. Deploy a consistent and ongoing approach to challengethe business assumptions underlying El Camino’sstrategies and associated strategic risks
3. Develop an approach to monitor the external environmentto identify new and emerging strategic risks on anongoing basis
19 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
Current capabilities and enhancement opportunities Governance and Culture
Key Capabilities Currently in Place or Being Enhanced Proposed Recommendations Governance and Culture
• Board receives reports regularly, in conjunction with thespecific risk management activities (e.g. compliance,financial, and internal audit reports)
• Corporate Compliance/Privacy and Audit Committeereports to the board after each meeting including minutesand decisions made
• Full board and Corporate Compliance Committee do notreceive a single, enterprise-wide report on key risks tothe organization
• EAC reviews the performance dashboard andorganization goals on a monthly basis, additionally,compliance provides an update on an as needed basis
• Chief Operating Officer has been tasked with developingand facilitating an ERM program with the ChiefCompliance Officer
• Management Risk Committee to oversee and manageERM process does not currently exist
• Key risks to the organization have not been identifiedcollectively or assigned owners
• Board is enhancing risk culture by establishing an ERMprogram to identify, assess, manage, monitor, and reportenterprise risks
4. Develop risk management guiding principles
5. Clearly define risk roles and responsibilities for board,corporate compliance committee, EAC, ERM leader,Management Risk Committee, and risk owners; roles willaddress oversight, management, monitoring, andreporting of key risks
6. Develop Management Risk Committee, consisting of keyEAC members and key risk owners, who will oversee andmanage key risks and ERM process and program
7. Develop cadence for monitoring and reporting of keyrisks to EAC, compliance committee, and full board
8. Compliance committee should receive a comprehensiveview of key risks to the organization and oversee ElCamino’s progress on addressing those risks and theERM program
9. Educate:
- Board and corporate compliance committee on riskoversight roles and responsibilities
- EAC, Management Risk Committee, and risk owners on risk management roles and responsibilities
20 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
Current capabilities and enhancement opportunities Business and Operating Models
Key Capabilities Currently in Place or Being Enhanced Proposed Recommendations Business and Operating Models
• Currently EL Camino departmental and organizationalperformance dashboards are used to informally identifyand monitor certain risks (not necessarily key risks)
• Enterprise risk framework is not developed or approvedby EAC and Board
• El Camino is working with a third party to conduct anenterprise risk assessment to identify, assess, and prioritize key risks to El Camino’s strategies
• El Camino does not have a process to identify andescalate new and emerging key risks on an ongoingbasis
• The organization does not currently have an efficient,standardized, and understood process to manageprioritized key enterprise risks
• Training on overview of ERM planned for EAC and board
• Separate processes are in place to address certain risks(e.g. business continuity plan, financial)
10.Standardize ERM processes to identify, assess, prioritize,and respond to key risks
11.Conduct an enterprise risk assessment (ERA) on anannual basis (e.g., risk register, risk rating criteria,interviews, prioritization)
12.Assign key risks to executive risk owners to develop riskresponse plans
13.Conduct ERM training for risk owners on roles andresponsibilities, including managing, monitoring, andreporting on key risks
14.Deploy a consistent and ongoing approach to proactivelyidentify significant new or emerging strategic risks
21 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015
Current capabilities and enhancement opportunities Risk Monitoring, Reporting & Analytics
Key Capabilities Currently in Place or Being Enhanced Proposed Recommendations Risk Monitoring, Reporting, & Analytics
• Currently El Camino department and organizationalperformance dashboards are used to identify and monitorcertain risks (not all key risks)
• The organization does not currently have an efficient,standardized, and understood process to monitor andreport on prioritized key enterprise risks
• Not all key risks to the organization are currentlymeasured
• Currently, there is compliance monitoring in place toidentify physician compensation
15.Standardize ERM process to monitor and report on keyrisks
16.Develop cadence for monitoring and reporting of keyrisks to EAC, compliance committee, and full board
17.Build ERM reporting dashboards with content / detail(e.g. most impactful component risks, exposure, appetite,response strategies, and monitoring) to supportoversight, management, and monitoring of key risks
18.Conduct ERM training for risk owners on roles andresponsibilities, including managing, monitoring, andreporting on key risks
19.Enhance reporting with sensing insights on emergingrisks / trends and key risk indicators as capabilitiesimprove
20.Deploy additional technology / tools to enable efficientrisk reporting or identification of emerging risks
1
DATE: May 12, 2015 TO: Corporate Compliance/Privacy and Internal Audit Committee FROM: Mick Zdeblick, Chief Operating Officer SUBJECT: Clinical Research Overview and Risk Mitigation Plan BOARD ACTION: Possible Motion: That the Committee recommends that the
Board approve the Proposed Clinical Research Plan
El Camino Hospital Management began a process to assess clinical research at the hospital and developed a focus group to establish a mission statement, principles, operational goals and a risk mitigation plan that will support clinical research at ECH. Management also engaged Duke Cancer Network to provide an assessment of the current infrastructures and processes supporting clinic research conducted at the hospital. Based on the Duke assessment report, best practice recommendations, and advisory from the focus group the following recommendations have been proposed. El Camino Hospital Mission To be an innovative, publicly accountable and locally controlled comprehensive health care organization that cares for the sick, relieves suffering, and provides quality, cost competitive services to improve the health and well-being of our community. People and Technology: We will capitalize on the unique talents of the people in our organization and new technologies to provide a comprehensive array of services. Our organization will be efficient, effective, and grounded in our values of public community accountability and compassionate care. El Camino Hospital Research Mission Research at ECH is dedicated to the pursuit of outstanding clinical research that benefits our community and optimizes patient care. Therefore, our research programs must improve the scope of our clinical services, compassionate care, or relate specifically to the Triple Aim of quality, service, and affordability.
Our Research Principles
To constantly improve our knowledge and innovation in research for the
benefit of the community we serve.
To align with the most advanced medical development entities to bring new management modalities to healthcare.
To help develop the most effective and safest therapies for the future.
To offer new therapies that provides our patients with diagnostic and therapeutic options that would not otherwise be available in a community setting.
To balance the risk of supporting a portfolio of clinical research with the benefit for the community we serve.
Operate within a clear statement of principles as required by federal and state regulations.
Maintain, communicate and operate within clearly established policies and procedures that support our principles and ensure patient safety and compliance in research.
Balance access to investigational protocols for our patients, participation in cutting edge clinical research for our physicians and operating within a fiscally sustainable research model to ensure long term financial health of ECH.
Operating Goals
1. El Camino Hospital Research Focus:
o Clinical Research (not basic science, discovery based or public health).
o Clinical Disciplines (FY15 Focus – Reassess Annually):
Heart & Vascular Institute Cancer Imaging Lung Nursing Quality Projects
o Clinical Research Phase: Our focus is on Phase II and Phase III research (not pre-clinical or Phase I/IV).
Pre-Clinical (e.g. Lab Based) Phase I: (e.g. Safety trials, 1st in Man) Phase II: (e.g. FDA approved, change in use, efficacy trials) Phase III: (e.g. 1st time combination of protocols,
performance against a gold standard). Phase IV (e.g. Post Market follow-up)
ECH
Focus
2. We will use strategic partnerships to advance clinical research within our
community. (e.g. Parkinson’s Institute).
3. Clinical Research Organizational Structure: Create a centralized clinical research office within the hospital and insource critical elements to provide proper oversight of operations and risk management. Major responsibilities of the Clinical Research Department:
o Operational oversight for ECH clinical study activation, monitoring and closeout.
o Develop Clinical Research policy and procedures, as well as educational programs for all levels of the organization.
o Conduct feasibility assessments to determine scientific merit and financial impact of new and ongoing clinical research.
Utilize the Service Line Structure for Clinical Relevance and Alignment with Mission, Strategy recommendations.
Form a Clinical Research Review Committee: Chair: COO, Staffed by Director of Clinical Research, Membership: CMO, COO, CNO, CFO, CSO, Director/Manager Nursing Leadership, Compliance, Legal.
Allocate funds to support non-standard of care resource requirements per specific research endeavors, e.g. cover the loss of the trial (if necessary and strategically aligned).
o Partner with ECH stakeholders to ensure research billing compliance.
o Develop quality assurance strategy for monitoring/internal audit of protocol and billing compliance in coordination with ECH Corporate Compliance Officer, Finance and IRB.
o On an ongoing basis, assess clinical research staffing and technology needs to meet the principles and goals of the organization.
Risk Mitigation Plan for Research Compliance
1. Collaborate with the IRB to continue their objectivity in the protection of human subjects participating in research, while developing a repository of all research activities at ECH that will be leveraged by the organization to create an integrated approach to clinical research compliance.
Clinical Research Department and IRB to establish process, templates and communication lines that will ensure consistency between legal contracts and patient consenting documents and identify opportunities to streamline the study activation and monitoring process.
2. Implement Epic’s medical record and billing system (branded “iCare” at
ECH) that includes a research billing module and ensures appropriate process and procedures are in place to manage complex research billing compliance issues.
3. Assess hospital conflict of interest policy and process to ensure transparency to patients and objectivity in our research.
4. Develop hospital Subject Injury policy and procedure that provides ethical and risk appropriate treatment for injuries resulting from participation in clinical research.
5. Implement an internal audit strategy to identify and mitigate clinical research compliance risk.
Simulate FDA audit for protocol compliance and data integrity.
Clinical Research Billing audits for Medicare/research billing compliance
6. Transition Clinical Trial Management System to ECH to manage the full clinical research portfolio for regulatory and billing purposes.
Corporate Compliance
Date: May 12, 2015
To: Corporate Compliance/Privacy and Audit Committee
From: Diane Wigglesworth, Director Corporate Compliance
Re: Corporate Compliance Program Activity
Attached are the metrics for April activity along with YTD information. The number of compliance
or privacy investigations has remained consistent over the last few months and is trending overall
higher than the previous fiscal year. This is due in part to issues brought forth as a result of the Epic
implementation compared to current organizational processes. The hospital has experienced only a
few reportable breaches over the last few months and the numbers are trending down significantly
compared from the previous fiscal year.
CMS initiated a visit in April as a follow up to a self-reported event by the hospital to CDPH.
The hospital is awaiting the results of that visit but does not expect and adverse outcome.
Corporate Compliance Scorecard FY15El Camino Hospital
Key Performance Indicator
FY:15
Current
Month
Current Year
Actual
Prior Year
Actual
Core Elements
Policies and Procedures Apr. 2015Jul - Apr
FY:2015
Jul - Apr.
FY: 2014
Number of reported instance when policies not followed 2 38 35
Number of disciplinary actions due to Investigations 0 9 16
Education and Training Apr. 2015Jul - Apr
FY:2015
Jul - Apr.
FY: 2014
Percentage of new employees trained within 30 days of start date 100% 100% 100%
Investigations Apr. 2015Jul - Apr
FY:2015
Jul - Apr.
FY: 2014
Total number of investigations 13 154 119
Investigations open 0 0 0
Investigations closed 13 154 119
Hotline concerns substantiated 0 23 22
Hotline concerns not substantiated 3 9 22
Average number of days to investigate concerns 5 5 5
Reporting Trends Apr. 2015Jul - Apr
FY:2015
Jul - Apr.
FY: 2014
Anti-Kickback/Stark 5 36 19
EMTALA 0 2 5
HIPAA Reports 11 108 135
HIPAA Security Breaches 0 0 1
Billing or Claims 6 34 18
Conflict of Interest 0 0 0
Reported Events to CMS Apr. 2015Jul - Apr
FY:2015
FY:14
Actual
Number of total events self reported by ECH 0 0 0
Number of self reported events followed up by CMS 1 1 0
CMS initiated visits (separate from ECH self reported events) 0 0 4
Number of statement of deficiencies issued to ECH 0 0 30
Number of Actual Sanctions, fines or penalties 0 0 $ -
Reported Events to CDPH Apr. 2015Jul - Apr
FY:2015
FY:14
Actual
Number of total regulator events self reported by ECH 1 5 10
Number of self reported events followed up by CDPH 0 8 6
Number of total privacy breaches self reported by ECH 0 18 46
CDPH initiated visits (separate from ECH self reported events) 0 19 6
Number of statement of deficiencies issued to ECH 0 6 5
Number of Actual/Realized Sanctions, fines or penalties 0 0 $ 100.00
Monitoring and Audit Findings Apr. 2015Jul - Apr
FY:2015
FY:14
Actual
Total number of Audit Findings 22 42 36
Number of findings identified has high severity 7 15 6
Monitoring and Audit Findings Apr. 2015Jul - Apr
FY:2015
FY:14
Actual
Number of Open Liability Claims 12 12 8
Number of Open Liability Lawsuits 8 8 4
1 of 1
Attachment 9 OIG Practical-Guidance-for-Health-Care-
Boards-on-Compliance-Oversight.pdf
Separator Page
Practical Guidance forHealth Care Governing Boards
on Compliance Oversight
Practical Guidance forHealth Care Governing Boards
on Compliance Oversight
Office of Inspector General,U.S. Department of Health and Human Services
Association of Healthcare Internal Auditors
American Health Lawyers Association
Health Care Compliance Association
About the OrganizationsThis educational resource was developed in collaboration between the Association of Healthcare Internal Auditors (AHIA), the American Health Lawyers Association (AHLA), the Health Care Compliance Association (HCCA), and the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS).
AHIA is an international organization dedicated to the advancement of the health care internal auditing profession. The AHLA is the Nation’s largest nonpartisan, educational organization devoted to legal issues in the health care field. HCCA is a member-based, nonprofit organization serving compliance professionals throughout the health care field. OIG’s mission is to protect the integrity of more than 100 HHS programs, including Medicare and Medicaid, as well as the health and welfare of program beneficiaries.
The following individuals, representing these organizations, served on the drafting task force for this document:
Katherine Matos, Senior Counsel, OIG, HHS
Felicia E. Heimer, Senior Counsel, OIG, HHS
Catherine A. Martin, Principal, Ober | Kaler (AHLA)
Robert R. Michalski, Chief Compliance Officer, Baylor Scott & White Health (AHIA)
Daniel Roach, General Counsel and Chief Compliance Officer, Optum360 (HCCA)
Sanford V. Teplitzky, Principal, Ober | Kaler (AHLA)
Published on April 20, 2015.
This document is intended to assist governing boards of health care organizations (Boards) to responsibly carry out their compliance plan oversight obligations under applicable laws. This document is intended as guidance and should not be interpreted as setting any particular standards of conduct. The authors recognize that each health care entity can, and should, take the necessary steps to ensure compliance with applicable Federal, State, and local law. At the same time, the authors also recognize that there is no uniform approach to compliance. No part of this document should be taken as the opinion of, or as legal or professional advice from, any of the authors or their respective agencies or organizations.
Introduction 1
Expectations for Board Oversight of Compliance Program Functions 2
Roles and Relationships 6
Reporting to the Board 9
Identifying and Auditing Potential Risk Areas 11
Encouraging Accountability and Compliance 13
Conclusion 15
Bibliography 16
Table of Contents
1
Introduction
Previous guidance1 has consistently emphasized the need for Boards to be
fully engaged in their oversight responsibility. A critical element of effective
oversight is the process of asking the right questions of management to
determine the adequacy and effectiveness of the organization’s compliance
program, as well as the performance of those who develop and execute that
program, and to make compliance a responsibility for all levels of management.
Given heightened industry and professional interest in governance and
transparency issues, this document
seeks to provide practical tips for
Boards as they work to effectuate
their oversight role of their
organizations’ compliance with State
and Federal laws that regulate the
health care industry. Specifically,
this document addresses issues
relating to a Board’s oversight and
review of compliance program functions, including the: (1) roles of, and
relationships between, the organization’s audit, compliance, and legal
departments; (2) mechanism and process for issue-reporting within an
organization; (3) approach to identifying regulatory risk; and (4) methods of
encouraging enterprise-wide accountability for achievement of compliance goals
and objectives.
1 OIG and AHLA, Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors (2003); OIG and AHLA, An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors (2004); and OIG and AHLA, Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards of Directors (2007).
A critical element of effective oversight is the process of asking
the right questions....
2
Expectations for Board Oversight of Compliance Program Functions
A Board must act in good faith in the exercise of its oversight
responsibility for its organization, including making inquiries to ensure:
(1) a corporate information and reporting system exists and (2) the reporting
system is adequate to assure the Board that appropriate information relating to
compliance with applicable laws will come to its attention timely and as a matter
of course.2 The existence of a corporate reporting system is a key compliance
program element, which not only keeps the Board informed of the activities of
the organization, but also enables an organization to evaluate and respond to
issues of potentially illegal or otherwise inappropriate activity.
Boards are encouraged to use widely recognized public compliance
resources as benchmarks for their organizations. The Federal Sentencing
Guidelines (Guidelines),3 OIG’s voluntary compliance program guidance
documents,4 and OIG Corporate Integrity Agreements (CIAs) can be used as
baseline assessment tools for Boards and management in determining what
specific functions may be necessary to meet the requirements of an effective
compliance program. The Guidelines “offer incentives to organizations to reduce
and ultimately eliminate criminal conduct by providing a structural foundation
from which an organization may self-police its own conduct through an effective
compliance and ethics program.”5 The compliance program guidance documents
were developed by OIG to encourage the development and use of internal
controls to monitor adherence to applicable statutes, regulations, and program
requirements. CIAs impose specific structural and reporting requirements to
2 In re Caremark Int’l, Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).
3 U.S. Sentencing Commission, Guidelines Manual (Nov. 2013) (USSG),
http://www.ussc.gov/sites/default/files/pdf/guidelines-manual/2013/manual-pdf/2013_Guidelines_
Manual_Full.pdf.
4 OIG, Compliance Guidance,
http://oig.hhs.gov/compliance/compliance-guidance/index.asp.
5 USSG Ch. 8, Intro. Comment.
3
promote compliance with Federal health care program standards at entities that
have resolved fraud allegations.
Basic CIA elements mirror those in the Guidelines, but a CIA also includes
obligations tailored to the organization and its compliance risks. Existing CIAs
may be helpful resources for Boards seeking to evaluate their organizations’
compliance programs. OIG has required some settling entities, such as health
systems and hospitals, to agree to
Board-level requirements, including
annual resolutions. These
resolutions are signed by each
member of the Board, or the
designated Board committee, and
detail the activities that have been
undertaken to review and oversee
the organization’s compliance with
Federal health care program and
CIA requirements. OIG has not
required this level of Board involvement in every case, but these provisions
demonstrate the importance placed on Board oversight in cases OIG believes
reflect serious compliance failures.
Although compliance program design is not a “one size fits all” issue,
Boards are expected to put forth a meaningful effort to review the adequacy
of existing compliance systems and functions. Ensuring that management is
aware of the Guidelines, compliance program guidance, and relevant CIAs is a
good first step.
One area of inquiry for Board members of health care organizations
should be the scope and adequacy of the compliance program in light of the
size and complexity of their organizations. The Guidelines allow for variation
according to “the size of the organization.”6 In accordance with the Guidelines,
6 USSG § 8B2.1, comment. (n. 2).
Although compliance program design is not a “one size fits
all” issue, Boards are expected to put forth
a meaningful effort....
4
OIG recognizes that the design of a compliance program will depend on the
size and resources of the organization.7 Additionally, the complexity of the
organization will likely dictate the nature and magnitude of regulatory impact
and thereby the nature and skill set of resources needed to manage and
monitor compliance.
While smaller or less complex organizations must demonstrate the
same degree of commitment to ethical conduct and compliance as larger
organizations, the Government recognizes that they may meet the Guidelines
requirements with less formality and fewer resources than would be expected
of larger and more complex organizations.8 Smaller organizations may meet
their compliance responsibility by “using available personnel, rather than
employing separate staff, to carry out the compliance and ethics program.”
Board members of such organizations may wish to evaluate whether the
organization is “modeling its own compliance and ethics programs on existing,
well-regarded compliance and ethics programs and best practices of other
similar organizations.”9 The Guidelines also foresee that Boards of smaller
organizations may need to become more involved in the organizations’
compliance and ethics efforts than their larger counterparts.10
Boards should develop a formal plan to stay abreast of the ever-changing
regulatory landscape and operating environment. The plan may involve periodic
updates from informed staff or review of regulatory resources made available to
them by staff. With an understanding of the dynamic regulatory environment,
Boards will be in a position to ask more pertinent questions of management
7 Compliance Program for Individual and Small Group Physician Practices, 65 Fed. Reg. 59434, 59436 (Oct. 5, 2000) (“The extent of implementation [of the seven components of a voluntary compliance program] will depend on the size and resources of the practice. Smaller physician practices may incorporate each of the components in a manner that best suits the practice. By contrast, larger physician practices often have the means to incorporate the components in a more systematic manner.”); Compliance Program Guidance for Nursing Facilities, 65 Fed. Reg. 14,289 (Mar. 16, 2000) (recognizing that smaller providers may not be able to outsource their screening process or afford to maintain a telephone hotline).
8 USSG § 8B2.1, comment. (n. 2).
9 Id.
10 Id.
5
and make informed strategic decisions regarding the organizations’ compliance
programs, including matters that relate to funding and resource allocation.
For instance, new standards and reporting requirements, as required by
law, may, but do not necessarily, result in increased compliance costs for an
organization. Board members may also wish to take advantage of outside
educational programs that provide them with opportunities to develop a better
understanding of industry risks, regulatory requirements, and how effective
compliance and ethics programs operate. In addition, Boards may want
management to create a formal education calendar that ensures that Board
members are periodically educated on the organizations’ highest risks.
Finally, a Board can raise its level of substantive expertise with respect
to regulatory and compliance matters by adding to the Board, or periodically
consulting with, an experienced regulatory, compliance, or legal professional.
The presence of a professional with health care compliance expertise on
the Board sends a strong message about the organization’s commitment
to compliance, provides a valuable resource to other Board members, and
helps the Board better fulfill its oversight obligations. Board members are
generally entitled to rely on the advice of experts in fulfilling their duties.11
OIG sometimes requires entities under a CIA to retain an expert in compliance
or governance issues to assist the Board in fulfilling its responsibilities under
the CIA.12 Experts can assist Boards and management in a variety of ways,
including the identification of risk areas, provision of insight into best practices
in governance, or consultation on other substantive or investigative matters.
11 See Del Code Ann. tit. 8, § 141(e) (2010); ABA Revised Model Business Corporation Act, §§ 8.30(e), (f)(2) Standards of Conduct for Directors.
12 See Corporate Integrity Agreements between OIG and Halifax Hospital Medical Center and Halifax Staffing, Inc. (2014, compliance and governance); Johnson & Johnson (2013); Dallas County Hospital District d/b/a Parkland Health and Hospital System (2013, compliance and governance); Forest Laboratories, Inc. (2010); Novartis Pharmaceuticals Corporation (2010); Ortho-McNeil-Janssen Pharmaceuticals, Inc. (2010); Synthes, Inc. (2010, compliance expert retained by Audit Committee); The University of Medicine and Dentistry of New Jersey (2009, compliance expert retained by Audit Committee); Quest Diagnostics Incorporated (2009); Amerigroup Corporation (2008); Bayer HealthCare LLC (2008); and Tenet Healthcare Corporation (2006; retained by the Quality, Compliance, and Ethics Committee of the Board).
6
Roles and Relationships
Organizations should define the interrelationship of the audit, compliance,
and legal functions in charters or other organizational documents. The
structure, reporting relationships, and interaction of these and other functions
(e.g., quality, risk management, and human resources) should be included as
departmental roles and responsibilities are defined. One approach is for the
charters to draw functional boundaries while also setting an expectation of
cooperation and collaboration among those functions. One illustration is the
following, recognizing that not all entities may possess sufficient resources to
support this structure:
The compliance function promotes the prevention, detection, and
resolution of actions that do not conform to legal, policy, or business
standards. This responsibility includes the obligation to develop
policies and procedures that provide employees guidance, the creation
of incentives to promote employee compliance, the development of
plans to improve or sustain compliance, the development of metrics to
measure execution (particularly by management) of the program and
implementation of corrective actions, and the development of reports
and dashboards that help management and the Board evaluate the
effectiveness of the program.
The legal function advises the organization on the legal and
regulatory risks of its business strategies, providing advice and counsel
to management and the Board about relevant laws and regulations that
govern, relate to, or impact the organization. The function also defends
the organization in legal proceedings and initiates legal proceedings
against other parties if such action is warranted.
The internal audit function provides an objective evaluation of
the existing risk and internal control systems and framework within an
organization. Internal audits ensure monitoring functions are working as
intended and identify where management monitoring and/or additional
7
Board oversight may be required. Internal audit helps management (and
the compliance function) develop actions to enhance internal controls,
reduce risk to the organization, and promote more effective and efficient
use of resources. Internal audit can fulfill the auditing requirements of
the Guidelines.
The human resources function manages the recruiting, screening,
and hiring of employees; coordinates employee benefits; and provides
employee training and development opportunities.
The quality improvement function promotes consistent, safe, and
high quality practices within health care organizations. This function
improves efficiency and health outcomes by measuring and reporting
on quality outcomes and recommends necessary changes to clinical
processes to management and the Board. Quality improvement is
critical to maintaining patient-centered care and helping the organization
minimize risk of patient harm.
Boards should be aware of, and evaluate, the adequacy, independence,13
and performance of different functions within an organization on a periodic
basis. OIG believes an organization’s Compliance Officer should neither be
counsel for the provider, nor be subordinate in function or position to counsel
or the legal department, in any manner.14 While independent, an organization’s
counsel and compliance officer should collaborate to further the interests
of the organization. OIG’s position on separate compliance and legal functions
reflects the independent roles and professional obligations of each function;15
13 Evaluation of independence typically includes assessing whether the function has uninhibited access to the relevant Board committees, is free from organizational bias through an appropriate administrative reporting relationship, and receives fair compensation adjustments based on input from any relevant Board committee.
14 See OIG and AHLA, An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors, 3 (2004) (citing Compliance Program Guidance for Hospitals, 63 Fed. Reg. 8,987, 8,997 (Feb. 23, 1998)).
15 See, generally, id.
8
the same is true for internal audit.16 To operate effectively, the compliance,
legal, and internal audit functions should have access to appropriate
and relevant corporate information and resources. As part of this effort,
organizations will need to balance any existing attorney-client privilege with
the goal of providing such access to key individuals who are charged with
the responsibility for ensuring compliance, as well as properly reporting and
remediating any violations of civil, criminal, or administrative law.
The Board should have a process to ensure appropriate access to
information; this process may be set forth in a formal charter document
approved by the Audit Committee of the Board or in other appropriate
documents. Organizations that do not separate these functions (and some
organizations may not have the resources to make this complete separation)
should recognize the potential risks of such an arrangement. To partially
mitigate these potential risks, organizations should provide individuals serving
in multiple roles the capability to execute each function in an independent
manner when necessary, including through reporting opportunities with the
Board and executive management.
Boards should also evaluate and discuss how management works together
to address risk, including the role of each in:
1. identifying compliance risks,
2. investigating compliance risks and avoiding duplication of effort,
3. identifying and implementing appropriate corrective actions and decision-making, and
4. communicating between the various functions throughout the process.
16 Compliance Program Guidance for Hospitals, 63 Fed. Reg. 8,987, 8,997 (Feb. 23, 1998) (auditing and monitoring function should “[b]e independent of physicians and line management”); Compliance Program Guidance for Home Health Agencies, 63 Fed. Reg. 42,410, 42,424 (Aug. 7, 1998) (auditing and monitoring function should “[b]e objective and independent of line management to the extent reasonably possible”); Compliance Program Guidance for Nursing Facilities, 65 Fed. Reg. 14,289, 14,302 (Mar. 16, 2000).
9
Boards should understand how management approaches conflicts or
disagreements with respect to the resolution of compliance issues and how
it decides on the appropriate course of action. The audit, compliance, and
legal functions should speak a common language, at least to the Board and
management, with respect to governance concepts, such as accountability,
risk, compliance, auditing, and monitoring. Agreeing on the adoption of certain
frameworks and definitions can help to develop such a common language.
Reporting to the Board
The Board should set and enforce expectations for receiving particular
types of compliance-related information from various members of management.
The Board should receive regular
reports regarding the organization’s
risk mitigation and compliance
efforts—separately and
independently—from a variety of key
players, including those responsible for
audit, compliance, human resources,
legal, quality, and information
technology. By engaging the
leadership team and others deeper
in the organization, the Board can
identify who can provide relevant
information about operations and operational risks. It may be helpful and
productive for the Board to establish clear expectations for members of the
management team and to hold them accountable for performing and informing
the Board in accordance with those expectations. The Board may request the
development of objective scorecards that measure how well management is
executing the compliance program, mitigating risks, and implementing
corrective action plans. Expectations could also include reporting information
on internal and external investigations, serious issues raised in internal and
external audits, hotline call activity, all allegations of material fraud or senior
management misconduct, and all management exceptions to the organization’s
The Board should receive regular
reports regarding the organization’s
risk mitigation and compliance efforts....
10
code of conduct and/or expense reimbursement policy. In addition, the Board
should expect that management will address significant regulatory changes and
enforcement events relevant to the organization’s business.
Boards of health care organizations should receive compliance and risk-
related information in a format sufficient to satisfy the interests or concerns
of their members and to fit their capacity to review that information. Some
Boards use tools such as dashboards—containing key financial, operational and
compliance indicators to assess risk, performance against budgets, strategic
plans, policies and procedures, or other goals and objectives—in order to strike
a balance between too much and too little information. For instance, Board
quality committees can work with management to create the content of the
dashboards with a goal of identifying and responding to risks and improving
quality of care. Boards should also consider establishing a risk-based reporting
system, in which those responsible for the compliance function provide reports
to the Board when certain risk-based criteria are met. The Board should
be assured that there are mechanisms in place to ensure timely reporting
of suspected violations and to evaluate and implement remedial measures.
These tools may also be used to track and identify trends in organizational
performance against corrective action plans developed in response to
compliance concerns. Regular internal reviews that provide a Board with a
snapshot of where the organization is, and where it may be going, in terms of
compliance and quality improvement, should produce better compliance results
and higher quality services.
As part of its oversight responsibilities, the Board may want to consider
conducting regular “executive sessions” (i.e., excluding senior management)
with leadership from the compliance, legal, internal audit, and quality functions
to encourage more open communication. Scheduling regular executive sessions
creates a continuous expectation of open dialogue, rather than calling such a
session only when a problem arises, and is helpful to avoid suspicion among
management about why a special executive session is being called.
11
Identifying and Auditing Potential Risk Areas
Some regulatory risk areas are common to all health care providers.
Compliance in health care requires monitoring of activities that are highly
vulnerable to fraud or other violations. Areas of particular interest include
referral relationships and arrangements, billing problems (e.g., upcoding,
submitting claims for services not rendered and/or medically unnecessary
services), privacy breaches, and quality-related events.
The Board should ensure that
management and the Board have
strong processes for identifying risk
areas. Risk areas may be identified
from internal or external information
sources. For instance, Boards and
management may identify regulatory
risks from internal sources, such
as employee reports to an internal
compliance hotline or internal audits.
External sources that may be used to
identify regulatory risks might include
professional organization publications, OIG-issued guidance, consultants,
competitors, or news media. When failures or problems in similar organizations
are publicized, Board members should ask their own management teams
whether there are controls and processes in place to reduce the risk of, and to
identify, similar misconduct or issues within their organizations.
The Board should ensure that management consistently reviews and
audits risk areas, as well as develops, implements, and monitors corrective
action plans. One of the reasonable steps an organization is expected to take
12
under the Guidelines is “monitoring and auditing to detect criminal conduct.”17
Audits can pinpoint potential risk factors, identify regulatory or compliance
problems, or confirm the effectiveness of compliance controls. Audit results
that reflect compliance issues or control deficiencies should be accompanied by
corrective action plans.18
Recent industry trends should also be considered when designing risk
assessment plans. Compliance functions tasked with monitoring new areas
of risk should take into account the increasing emphasis on quality, industry
consolidation, and changes in insurance coverage and reimbursement. New
forms of reimbursement (e.g., value-based purchasing, bundling of services
for a single payment, and global payments for maintaining and improving the
health of individual patients and even entire populations) lead to new incentives
and compliance risks. Payment policies that align payment with quality
care have placed increasing pressure to conform to recommended quality
guidelines and improve quality outcomes. New payment models have also
incentivized consolidation among health care providers and more employment
and contractual relationships (e.g., between hospitals and physicians). In
light of the fact that statutes applicable to provider-physician relationships are
very broad, Boards of entities that have financial relationships with referral
sources or recipients should ask how their organizations are reviewing these
arrangements for compliance with the physician self-referral (Stark) and anti-
kickback laws. There should also be a clear understanding between the Board
and management as to how the entity will approach and implement those
relationships and what level of risk is acceptable in such arrangements.
Emerging trends in the health care industry to increase transparency can
present health care organizations with opportunities and risks. For example,
the Government is collecting and publishing data on health outcomes and
quality measures (e.g., Centers for Medicare & Medicaid Services (CMS) Quality
Compare Measures), Medicare payment data are now publicly available (e.g.,
17 See USSG § 8B2.1(b)(5).
18 See USSG § 8B2.1(c).
13
CMS physician payment data), and the Sunshine Rule19 offers public access to
data on payments from the pharmaceutical and device industries to physicians.
Boards should consider all beneficial use of this newly available information. For
example, Boards may choose to compare accessible data against organizational
peers and incorporate national benchmarks when assessing organizational risk
and compliance. Also, Boards of organizations that employ physicians should
be cognizant of the relationships that exist between their employees and other
health care entities and whether those relationships could have an impact on
such matters as clinical and research decision-making. Because so much more
information is becoming public, Boards may be asked significant compliance-
oriented questions by various stakeholders, including patients, employees,
government officials, donors, the media, and whistleblowers.
Encouraging Accountability and Compliance
Compliance is an enterprise-wide responsibility. While audit, compliance,
and legal functions serve as advisors, evaluators, identifiers, and monitors of
risk and compliance, it is the responsibility of the entire organization to execute
the compliance program.
In an effort to support the concept
that compliance is “a way of life,” a Board
may assess employee performance in
promoting and adhering to compliance.20 An
organization may assess individual, department, or facility-level performance
or consistency in executing the compliance program. These assessments
can then be used to either withhold incentives or to provide bonuses
19 See Sunshine Rule, 42 C.F.R. § 403.904, and CMS Open Payments,
http://www.cms.gov/Regulations-and-Guidance/Legislation/National-Physician-Payment-Transparency-
Program/index.html.
20 Compliance Program Guidance for Nursing Facilities, 65 Fed. Reg. 14,289, 14,298-14,299 (Mar. 16, 2000).
Compliance is an enterprise-wide
responsiblity.
14
based on compliance and quality outcomes. Some companies have made
participation in annual incentive programs contingent on satisfactorily meeting
annual compliance goals. Others have instituted employee and executive
compensation claw-back/recoupment provisions if compliance metrics are
not met. Such approaches mirror Government trends. For example, OIG is
increasingly requiring certifications of compliance from managers outside the
compliance department. Through a system of defined compliance goals and
objectives against which performance may be measured and incentivized,
organizations can effectively communicate the message that everyone is
ultimately responsible for compliance.
Governing Boards have multiple incentives to build compliance programs
that encourage self-identification of compliance failures and to voluntarily
disclose such failures to the Government. For instance, providers enrolled
in Medicare or Medicaid are required by statute to report and refund any
overpayments under what is called the 60 Day Rule.21 The 60-Day Rule requires
all Medicare and Medicaid participating providers and suppliers to report and
refund known overpayments within 60 days from the date the overpayment is
“identified” or within 60 days of the date when any corresponding cost report
is due. Failure to follow the 60-Day Rule can result in False Claims Act or
civil monetary penalty liability. The final regulations, when released, should
provide additional guidance and clarity as to what it means to “identify” an
overpayment.22 However, as an example, a Board would be well served by
asking management about its efforts to develop policies for identifying and
returning overpayments. Such an inquiry would inform the Board about how
proactive the organization’s compliance program may be in correcting and
remediating compliance issues.
21 42 U.S.C. § 1320a-7k.
22 Medicare Program; Reporting and Returning of Overpayments, 77 Fed. Reg. 9179, 9182 (Feb. 16, 2012) (Under the proposed regulations interpreting this statutory requirement, an overpayment is “identified” when a person “has actual knowledge of the existence of the overpayment or acts in reckless disregard or deliberate ignorance of the overpayment.”) disregard or deliberate ignorance of the overpayment.”); Medicare Program; Reporting and Returning of Overpayments; Extensions of Timeline for Publication of the Final Rule, 80 Fed. Reg. 8247 (Feb. 17, 2015).
15
Organizations that discover a violation of law often engage in an internal
analysis of the benefits and costs of disclosing—and risks of failing to disclose—
such violation to OIG and/or another governmental agency. Organizations
that are proactive in self-disclosing issues under OIG’s Self-Disclosure Protocol
realize certain benefits, such as (1) faster resolution of the case—the average
OIG self-disclosure is resolved in less than one year; (2) lower payment—OIG
settles most self-disclosure cases for 1.5 times damages rather than for double
or treble damages and penalties available under the False Claims Act; and
(3) exclusion release as part of settlement with no CIA or other compliance
obligations.23 OIG believes that providers have legal and ethical obligations to
disclose known violations of law occurring within their organizations.24 Boards
should ask management how it handles the identification of probable violations
of law, including voluntary self-disclosure of such issues to the Government.
As an extension of their oversight of reporting mechanisms and
structures, Boards would also be well served by evaluating whether compliance
systems and processes encourage effective communication across the
organizations and whether employees feel confident that raising compliance
concerns, questions, or complaints will result in meaningful inquiry without
retaliation or retribution. Further, the Board should request and receive
sufficient information to evaluate the appropriateness of management’s
responses to identified violations of the organization’s policies or Federal or
State laws.
Conclusion
A health care governing Board should make efforts to increase its
knowledge of relevant and emerging regulatory risks, the role and functioning
of the organization’s compliance program in the face of those risks, and
the flow and elevation of reporting of potential issues and problems to
23 See OIG, Self-Disclosure Information,
http://oig.hhs.gov/compliance/self-disclosure-info.
24 See id., at 2 (“we believe that using the [Self-Disclosure Protocol] may mitigate potential exposure under section 1128J(d) of the Act, 42 U.S.C. 1320a-7k(d).”)
16
senior management. A Board should also encourage a level of compliance
accountability across the organization. A Board may find that not every
measure addressed in this document is appropriate for its organization, but
every Board is responsible for ensuring that its organization complies with
relevant Federal, State, and local laws. The recommendations presented in this
document are intended to assist Boards with the performance of those activities
that are key to their compliance program oversight responsibilities. Ultimately,
compliance efforts are necessary to protect patients and public funds, but the
form and manner of such efforts will always be dependent on the organization’s
individual situation.
BibliographyElisabeth Belmont, et al., “Quality in Action: Paradigm for a Hospital Board-Driven Quality Program,” 4 Journal of Health & Life Sciences Law. 95, 113 (Feb. 2011).
Larry Gage, Transformational Governance: Best Practices for Public and Nonprofit Hospitals and Health Systems, Center for Healthcare Governance (2012).
Tracy E. Miller and Valerie L. Gutmann, “Changing Expectations for Board Oversight of Healthcare Quality: The Emerging Paradigm,” 2 Journal of Health & Life Sciences Law (July 2009).
Tracy E. Miller, Board Fiduciary Duty to Oversee Quality: New Challenges, Rising Expectations, 3 NYSBA Health L.J. (Summer/Fall 2012).
Lawrence Prybil, et al., Governance in Nonprofit Community Health Systems: An Initial Report on CEO Perspectives, Grant Thornton LLP (Feb. 2008).
Corporate Compliance
Date: March 11, 2015
To: Corporate Compliance/Privacy and Audit Committee
From: Diane Wigglesworth, Director Corporate Compliance
Re: Practical Guidance for Health Care Governing Boards On Compliance Oversight
Daniel Levinson, Inspector General of the OIG, introduced this educational resource for health care
governing Boards at the April 2015 annual Health Care Compliance Association Institute that I
recently attended. Mr. Levinson emphasized that compliance is an enterprise wide responsibility.
Compliance, audit, and legal functions serve as advisors and monitor risk while compliance remains
the responsibility of the entire organization under the Board's oversight.
Of the recommendations in this document there are three items I believe the compliance committee
should consider to further enhance the Hospital's Compliance program.
1. Board members should be periodically educated on their oversight responsibilities and the
organization's highest risks.
2. Board should consider scheduling regular executive sessions with Compliance and Legal to
encourage open and continuous communication.
3. Board should recommend the development an objective scorecard as part of management’s
annual performance review that measures how well management is executing the
compliance program, mitigating risks, and implementing corrective actions.
.
Attachment 9 OIG Practical-Guidance-for-Health-Care-
Boards-on-Compliance-Oversight.pdf
Separator Page
Practical Guidance forHealth Care Governing Boards
on Compliance Oversight
Practical Guidance forHealth Care Governing Boards
on Compliance Oversight
Office of Inspector General,U.S. Department of Health and Human Services
Association of Healthcare Internal Auditors
American Health Lawyers Association
Health Care Compliance Association
About the OrganizationsThis educational resource was developed in collaboration between the Association of Healthcare Internal Auditors (AHIA), the American Health Lawyers Association (AHLA), the Health Care Compliance Association (HCCA), and the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS).
AHIA is an international organization dedicated to the advancement of the health care internal auditing profession. The AHLA is the Nation’s largest nonpartisan, educational organization devoted to legal issues in the health care field. HCCA is a member-based, nonprofit organization serving compliance professionals throughout the health care field. OIG’s mission is to protect the integrity of more than 100 HHS programs, including Medicare and Medicaid, as well as the health and welfare of program beneficiaries.
The following individuals, representing these organizations, served on the drafting task force for this document:
Katherine Matos, Senior Counsel, OIG, HHS
Felicia E. Heimer, Senior Counsel, OIG, HHS
Catherine A. Martin, Principal, Ober | Kaler (AHLA)
Robert R. Michalski, Chief Compliance Officer, Baylor Scott & White Health (AHIA)
Daniel Roach, General Counsel and Chief Compliance Officer, Optum360 (HCCA)
Sanford V. Teplitzky, Principal, Ober | Kaler (AHLA)
Published on April 20, 2015.
This document is intended to assist governing boards of health care organizations (Boards) to responsibly carry out their compliance plan oversight obligations under applicable laws. This document is intended as guidance and should not be interpreted as setting any particular standards of conduct. The authors recognize that each health care entity can, and should, take the necessary steps to ensure compliance with applicable Federal, State, and local law. At the same time, the authors also recognize that there is no uniform approach to compliance. No part of this document should be taken as the opinion of, or as legal or professional advice from, any of the authors or their respective agencies or organizations.
Introduction 1
Expectations for Board Oversight of Compliance Program Functions 2
Roles and Relationships 6
Reporting to the Board 9
Identifying and Auditing Potential Risk Areas 11
Encouraging Accountability and Compliance 13
Conclusion 15
Bibliography 16
Table of Contents
1
Introduction
Previous guidance1 has consistently emphasized the need for Boards to be
fully engaged in their oversight responsibility. A critical element of effective
oversight is the process of asking the right questions of management to
determine the adequacy and effectiveness of the organization’s compliance
program, as well as the performance of those who develop and execute that
program, and to make compliance a responsibility for all levels of management.
Given heightened industry and professional interest in governance and
transparency issues, this document
seeks to provide practical tips for
Boards as they work to effectuate
their oversight role of their
organizations’ compliance with State
and Federal laws that regulate the
health care industry. Specifically,
this document addresses issues
relating to a Board’s oversight and
review of compliance program functions, including the: (1) roles of, and
relationships between, the organization’s audit, compliance, and legal
departments; (2) mechanism and process for issue-reporting within an
organization; (3) approach to identifying regulatory risk; and (4) methods of
encouraging enterprise-wide accountability for achievement of compliance goals
and objectives.
1 OIG and AHLA, Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors (2003); OIG and AHLA, An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors (2004); and OIG and AHLA, Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards of Directors (2007).
A critical element of effective oversight is the process of asking
the right questions....
2
Expectations for Board Oversight of Compliance Program Functions
A Board must act in good faith in the exercise of its oversight
responsibility for its organization, including making inquiries to ensure:
(1) a corporate information and reporting system exists and (2) the reporting
system is adequate to assure the Board that appropriate information relating to
compliance with applicable laws will come to its attention timely and as a matter
of course.2 The existence of a corporate reporting system is a key compliance
program element, which not only keeps the Board informed of the activities of
the organization, but also enables an organization to evaluate and respond to
issues of potentially illegal or otherwise inappropriate activity.
Boards are encouraged to use widely recognized public compliance
resources as benchmarks for their organizations. The Federal Sentencing
Guidelines (Guidelines),3 OIG’s voluntary compliance program guidance
documents,4 and OIG Corporate Integrity Agreements (CIAs) can be used as
baseline assessment tools for Boards and management in determining what
specific functions may be necessary to meet the requirements of an effective
compliance program. The Guidelines “offer incentives to organizations to reduce
and ultimately eliminate criminal conduct by providing a structural foundation
from which an organization may self-police its own conduct through an effective
compliance and ethics program.”5 The compliance program guidance documents
were developed by OIG to encourage the development and use of internal
controls to monitor adherence to applicable statutes, regulations, and program
requirements. CIAs impose specific structural and reporting requirements to
2 In re Caremark Int’l, Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).
3 U.S. Sentencing Commission, Guidelines Manual (Nov. 2013) (USSG),
http://www.ussc.gov/sites/default/files/pdf/guidelines-manual/2013/manual-pdf/2013_Guidelines_
Manual_Full.pdf.
4 OIG, Compliance Guidance,
http://oig.hhs.gov/compliance/compliance-guidance/index.asp.
5 USSG Ch. 8, Intro. Comment.
3
promote compliance with Federal health care program standards at entities that
have resolved fraud allegations.
Basic CIA elements mirror those in the Guidelines, but a CIA also includes
obligations tailored to the organization and its compliance risks. Existing CIAs
may be helpful resources for Boards seeking to evaluate their organizations’
compliance programs. OIG has required some settling entities, such as health
systems and hospitals, to agree to
Board-level requirements, including
annual resolutions. These
resolutions are signed by each
member of the Board, or the
designated Board committee, and
detail the activities that have been
undertaken to review and oversee
the organization’s compliance with
Federal health care program and
CIA requirements. OIG has not
required this level of Board involvement in every case, but these provisions
demonstrate the importance placed on Board oversight in cases OIG believes
reflect serious compliance failures.
Although compliance program design is not a “one size fits all” issue,
Boards are expected to put forth a meaningful effort to review the adequacy
of existing compliance systems and functions. Ensuring that management is
aware of the Guidelines, compliance program guidance, and relevant CIAs is a
good first step.
One area of inquiry for Board members of health care organizations
should be the scope and adequacy of the compliance program in light of the
size and complexity of their organizations. The Guidelines allow for variation
according to “the size of the organization.”6 In accordance with the Guidelines,
6 USSG § 8B2.1, comment. (n. 2).
Although compliance program design is not a “one size fits
all” issue, Boards are expected to put forth
a meaningful effort....
4
OIG recognizes that the design of a compliance program will depend on the
size and resources of the organization.7 Additionally, the complexity of the
organization will likely dictate the nature and magnitude of regulatory impact
and thereby the nature and skill set of resources needed to manage and
monitor compliance.
While smaller or less complex organizations must demonstrate the
same degree of commitment to ethical conduct and compliance as larger
organizations, the Government recognizes that they may meet the Guidelines
requirements with less formality and fewer resources than would be expected
of larger and more complex organizations.8 Smaller organizations may meet
their compliance responsibility by “using available personnel, rather than
employing separate staff, to carry out the compliance and ethics program.”
Board members of such organizations may wish to evaluate whether the
organization is “modeling its own compliance and ethics programs on existing,
well-regarded compliance and ethics programs and best practices of other
similar organizations.”9 The Guidelines also foresee that Boards of smaller
organizations may need to become more involved in the organizations’
compliance and ethics efforts than their larger counterparts.10
Boards should develop a formal plan to stay abreast of the ever-changing
regulatory landscape and operating environment. The plan may involve periodic
updates from informed staff or review of regulatory resources made available to
them by staff. With an understanding of the dynamic regulatory environment,
Boards will be in a position to ask more pertinent questions of management
7 Compliance Program for Individual and Small Group Physician Practices, 65 Fed. Reg. 59434, 59436 (Oct. 5, 2000) (“The extent of implementation [of the seven components of a voluntary compliance program] will depend on the size and resources of the practice. Smaller physician practices may incorporate each of the components in a manner that best suits the practice. By contrast, larger physician practices often have the means to incorporate the components in a more systematic manner.”); Compliance Program Guidance for Nursing Facilities, 65 Fed. Reg. 14,289 (Mar. 16, 2000) (recognizing that smaller providers may not be able to outsource their screening process or afford to maintain a telephone hotline).
8 USSG § 8B2.1, comment. (n. 2).
9 Id.
10 Id.
5
and make informed strategic decisions regarding the organizations’ compliance
programs, including matters that relate to funding and resource allocation.
For instance, new standards and reporting requirements, as required by
law, may, but do not necessarily, result in increased compliance costs for an
organization. Board members may also wish to take advantage of outside
educational programs that provide them with opportunities to develop a better
understanding of industry risks, regulatory requirements, and how effective
compliance and ethics programs operate. In addition, Boards may want
management to create a formal education calendar that ensures that Board
members are periodically educated on the organizations’ highest risks.
Finally, a Board can raise its level of substantive expertise with respect
to regulatory and compliance matters by adding to the Board, or periodically
consulting with, an experienced regulatory, compliance, or legal professional.
The presence of a professional with health care compliance expertise on
the Board sends a strong message about the organization’s commitment
to compliance, provides a valuable resource to other Board members, and
helps the Board better fulfill its oversight obligations. Board members are
generally entitled to rely on the advice of experts in fulfilling their duties.11
OIG sometimes requires entities under a CIA to retain an expert in compliance
or governance issues to assist the Board in fulfilling its responsibilities under
the CIA.12 Experts can assist Boards and management in a variety of ways,
including the identification of risk areas, provision of insight into best practices
in governance, or consultation on other substantive or investigative matters.
11 See Del Code Ann. tit. 8, § 141(e) (2010); ABA Revised Model Business Corporation Act, §§ 8.30(e), (f)(2) Standards of Conduct for Directors.
12 See Corporate Integrity Agreements between OIG and Halifax Hospital Medical Center and Halifax Staffing, Inc. (2014, compliance and governance); Johnson & Johnson (2013); Dallas County Hospital District d/b/a Parkland Health and Hospital System (2013, compliance and governance); Forest Laboratories, Inc. (2010); Novartis Pharmaceuticals Corporation (2010); Ortho-McNeil-Janssen Pharmaceuticals, Inc. (2010); Synthes, Inc. (2010, compliance expert retained by Audit Committee); The University of Medicine and Dentistry of New Jersey (2009, compliance expert retained by Audit Committee); Quest Diagnostics Incorporated (2009); Amerigroup Corporation (2008); Bayer HealthCare LLC (2008); and Tenet Healthcare Corporation (2006; retained by the Quality, Compliance, and Ethics Committee of the Board).
6
Roles and Relationships
Organizations should define the interrelationship of the audit, compliance,
and legal functions in charters or other organizational documents. The
structure, reporting relationships, and interaction of these and other functions
(e.g., quality, risk management, and human resources) should be included as
departmental roles and responsibilities are defined. One approach is for the
charters to draw functional boundaries while also setting an expectation of
cooperation and collaboration among those functions. One illustration is the
following, recognizing that not all entities may possess sufficient resources to
support this structure:
The compliance function promotes the prevention, detection, and
resolution of actions that do not conform to legal, policy, or business
standards. This responsibility includes the obligation to develop
policies and procedures that provide employees guidance, the creation
of incentives to promote employee compliance, the development of
plans to improve or sustain compliance, the development of metrics to
measure execution (particularly by management) of the program and
implementation of corrective actions, and the development of reports
and dashboards that help management and the Board evaluate the
effectiveness of the program.
The legal function advises the organization on the legal and
regulatory risks of its business strategies, providing advice and counsel
to management and the Board about relevant laws and regulations that
govern, relate to, or impact the organization. The function also defends
the organization in legal proceedings and initiates legal proceedings
against other parties if such action is warranted.
The internal audit function provides an objective evaluation of
the existing risk and internal control systems and framework within an
organization. Internal audits ensure monitoring functions are working as
intended and identify where management monitoring and/or additional
7
Board oversight may be required. Internal audit helps management (and
the compliance function) develop actions to enhance internal controls,
reduce risk to the organization, and promote more effective and efficient
use of resources. Internal audit can fulfill the auditing requirements of
the Guidelines.
The human resources function manages the recruiting, screening,
and hiring of employees; coordinates employee benefits; and provides
employee training and development opportunities.
The quality improvement function promotes consistent, safe, and
high quality practices within health care organizations. This function
improves efficiency and health outcomes by measuring and reporting
on quality outcomes and recommends necessary changes to clinical
processes to management and the Board. Quality improvement is
critical to maintaining patient-centered care and helping the organization
minimize risk of patient harm.
Boards should be aware of, and evaluate, the adequacy, independence,13
and performance of different functions within an organization on a periodic
basis. OIG believes an organization’s Compliance Officer should neither be
counsel for the provider, nor be subordinate in function or position to counsel
or the legal department, in any manner.14 While independent, an organization’s
counsel and compliance officer should collaborate to further the interests
of the organization. OIG’s position on separate compliance and legal functions
reflects the independent roles and professional obligations of each function;15
13 Evaluation of independence typically includes assessing whether the function has uninhibited access to the relevant Board committees, is free from organizational bias through an appropriate administrative reporting relationship, and receives fair compensation adjustments based on input from any relevant Board committee.
14 See OIG and AHLA, An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors, 3 (2004) (citing Compliance Program Guidance for Hospitals, 63 Fed. Reg. 8,987, 8,997 (Feb. 23, 1998)).
15 See, generally, id.
8
the same is true for internal audit.16 To operate effectively, the compliance,
legal, and internal audit functions should have access to appropriate
and relevant corporate information and resources. As part of this effort,
organizations will need to balance any existing attorney-client privilege with
the goal of providing such access to key individuals who are charged with
the responsibility for ensuring compliance, as well as properly reporting and
remediating any violations of civil, criminal, or administrative law.
The Board should have a process to ensure appropriate access to
information; this process may be set forth in a formal charter document
approved by the Audit Committee of the Board or in other appropriate
documents. Organizations that do not separate these functions (and some
organizations may not have the resources to make this complete separation)
should recognize the potential risks of such an arrangement. To partially
mitigate these potential risks, organizations should provide individuals serving
in multiple roles the capability to execute each function in an independent
manner when necessary, including through reporting opportunities with the
Board and executive management.
Boards should also evaluate and discuss how management works together
to address risk, including the role of each in:
1. identifying compliance risks,
2. investigating compliance risks and avoiding duplication of effort,
3. identifying and implementing appropriate corrective actions and decision-making, and
4. communicating between the various functions throughout the process.
16 Compliance Program Guidance for Hospitals, 63 Fed. Reg. 8,987, 8,997 (Feb. 23, 1998) (auditing and monitoring function should “[b]e independent of physicians and line management”); Compliance Program Guidance for Home Health Agencies, 63 Fed. Reg. 42,410, 42,424 (Aug. 7, 1998) (auditing and monitoring function should “[b]e objective and independent of line management to the extent reasonably possible”); Compliance Program Guidance for Nursing Facilities, 65 Fed. Reg. 14,289, 14,302 (Mar. 16, 2000).
9
Boards should understand how management approaches conflicts or
disagreements with respect to the resolution of compliance issues and how
it decides on the appropriate course of action. The audit, compliance, and
legal functions should speak a common language, at least to the Board and
management, with respect to governance concepts, such as accountability,
risk, compliance, auditing, and monitoring. Agreeing on the adoption of certain
frameworks and definitions can help to develop such a common language.
Reporting to the Board
The Board should set and enforce expectations for receiving particular
types of compliance-related information from various members of management.
The Board should receive regular
reports regarding the organization’s
risk mitigation and compliance
efforts—separately and
independently—from a variety of key
players, including those responsible for
audit, compliance, human resources,
legal, quality, and information
technology. By engaging the
leadership team and others deeper
in the organization, the Board can
identify who can provide relevant
information about operations and operational risks. It may be helpful and
productive for the Board to establish clear expectations for members of the
management team and to hold them accountable for performing and informing
the Board in accordance with those expectations. The Board may request the
development of objective scorecards that measure how well management is
executing the compliance program, mitigating risks, and implementing
corrective action plans. Expectations could also include reporting information
on internal and external investigations, serious issues raised in internal and
external audits, hotline call activity, all allegations of material fraud or senior
management misconduct, and all management exceptions to the organization’s
The Board should receive regular
reports regarding the organization’s
risk mitigation and compliance efforts....
10
code of conduct and/or expense reimbursement policy. In addition, the Board
should expect that management will address significant regulatory changes and
enforcement events relevant to the organization’s business.
Boards of health care organizations should receive compliance and risk-
related information in a format sufficient to satisfy the interests or concerns
of their members and to fit their capacity to review that information. Some
Boards use tools such as dashboards—containing key financial, operational and
compliance indicators to assess risk, performance against budgets, strategic
plans, policies and procedures, or other goals and objectives—in order to strike
a balance between too much and too little information. For instance, Board
quality committees can work with management to create the content of the
dashboards with a goal of identifying and responding to risks and improving
quality of care. Boards should also consider establishing a risk-based reporting
system, in which those responsible for the compliance function provide reports
to the Board when certain risk-based criteria are met. The Board should
be assured that there are mechanisms in place to ensure timely reporting
of suspected violations and to evaluate and implement remedial measures.
These tools may also be used to track and identify trends in organizational
performance against corrective action plans developed in response to
compliance concerns. Regular internal reviews that provide a Board with a
snapshot of where the organization is, and where it may be going, in terms of
compliance and quality improvement, should produce better compliance results
and higher quality services.
As part of its oversight responsibilities, the Board may want to consider
conducting regular “executive sessions” (i.e., excluding senior management)
with leadership from the compliance, legal, internal audit, and quality functions
to encourage more open communication. Scheduling regular executive sessions
creates a continuous expectation of open dialogue, rather than calling such a
session only when a problem arises, and is helpful to avoid suspicion among
management about why a special executive session is being called.
11
Identifying and Auditing Potential Risk Areas
Some regulatory risk areas are common to all health care providers.
Compliance in health care requires monitoring of activities that are highly
vulnerable to fraud or other violations. Areas of particular interest include
referral relationships and arrangements, billing problems (e.g., upcoding,
submitting claims for services not rendered and/or medically unnecessary
services), privacy breaches, and quality-related events.
The Board should ensure that
management and the Board have
strong processes for identifying risk
areas. Risk areas may be identified
from internal or external information
sources. For instance, Boards and
management may identify regulatory
risks from internal sources, such
as employee reports to an internal
compliance hotline or internal audits.
External sources that may be used to
identify regulatory risks might include
professional organization publications, OIG-issued guidance, consultants,
competitors, or news media. When failures or problems in similar organizations
are publicized, Board members should ask their own management teams
whether there are controls and processes in place to reduce the risk of, and to
identify, similar misconduct or issues within their organizations.
The Board should ensure that management consistently reviews and
audits risk areas, as well as develops, implements, and monitors corrective
action plans. One of the reasonable steps an organization is expected to take
12
under the Guidelines is “monitoring and auditing to detect criminal conduct.”17
Audits can pinpoint potential risk factors, identify regulatory or compliance
problems, or confirm the effectiveness of compliance controls. Audit results
that reflect compliance issues or control deficiencies should be accompanied by
corrective action plans.18
Recent industry trends should also be considered when designing risk
assessment plans. Compliance functions tasked with monitoring new areas
of risk should take into account the increasing emphasis on quality, industry
consolidation, and changes in insurance coverage and reimbursement. New
forms of reimbursement (e.g., value-based purchasing, bundling of services
for a single payment, and global payments for maintaining and improving the
health of individual patients and even entire populations) lead to new incentives
and compliance risks. Payment policies that align payment with quality
care have placed increasing pressure to conform to recommended quality
guidelines and improve quality outcomes. New payment models have also
incentivized consolidation among health care providers and more employment
and contractual relationships (e.g., between hospitals and physicians). In
light of the fact that statutes applicable to provider-physician relationships are
very broad, Boards of entities that have financial relationships with referral
sources or recipients should ask how their organizations are reviewing these
arrangements for compliance with the physician self-referral (Stark) and anti-
kickback laws. There should also be a clear understanding between the Board
and management as to how the entity will approach and implement those
relationships and what level of risk is acceptable in such arrangements.
Emerging trends in the health care industry to increase transparency can
present health care organizations with opportunities and risks. For example,
the Government is collecting and publishing data on health outcomes and
quality measures (e.g., Centers for Medicare & Medicaid Services (CMS) Quality
Compare Measures), Medicare payment data are now publicly available (e.g.,
17 See USSG § 8B2.1(b)(5).
18 See USSG § 8B2.1(c).
13
CMS physician payment data), and the Sunshine Rule19 offers public access to
data on payments from the pharmaceutical and device industries to physicians.
Boards should consider all beneficial use of this newly available information. For
example, Boards may choose to compare accessible data against organizational
peers and incorporate national benchmarks when assessing organizational risk
and compliance. Also, Boards of organizations that employ physicians should
be cognizant of the relationships that exist between their employees and other
health care entities and whether those relationships could have an impact on
such matters as clinical and research decision-making. Because so much more
information is becoming public, Boards may be asked significant compliance-
oriented questions by various stakeholders, including patients, employees,
government officials, donors, the media, and whistleblowers.
Encouraging Accountability and Compliance
Compliance is an enterprise-wide responsibility. While audit, compliance,
and legal functions serve as advisors, evaluators, identifiers, and monitors of
risk and compliance, it is the responsibility of the entire organization to execute
the compliance program.
In an effort to support the concept
that compliance is “a way of life,” a Board
may assess employee performance in
promoting and adhering to compliance.20 An
organization may assess individual, department, or facility-level performance
or consistency in executing the compliance program. These assessments
can then be used to either withhold incentives or to provide bonuses
19 See Sunshine Rule, 42 C.F.R. § 403.904, and CMS Open Payments,
http://www.cms.gov/Regulations-and-Guidance/Legislation/National-Physician-Payment-Transparency-
Program/index.html.
20 Compliance Program Guidance for Nursing Facilities, 65 Fed. Reg. 14,289, 14,298-14,299 (Mar. 16, 2000).
Compliance is an enterprise-wide
responsiblity.
14
based on compliance and quality outcomes. Some companies have made
participation in annual incentive programs contingent on satisfactorily meeting
annual compliance goals. Others have instituted employee and executive
compensation claw-back/recoupment provisions if compliance metrics are
not met. Such approaches mirror Government trends. For example, OIG is
increasingly requiring certifications of compliance from managers outside the
compliance department. Through a system of defined compliance goals and
objectives against which performance may be measured and incentivized,
organizations can effectively communicate the message that everyone is
ultimately responsible for compliance.
Governing Boards have multiple incentives to build compliance programs
that encourage self-identification of compliance failures and to voluntarily
disclose such failures to the Government. For instance, providers enrolled
in Medicare or Medicaid are required by statute to report and refund any
overpayments under what is called the 60 Day Rule.21 The 60-Day Rule requires
all Medicare and Medicaid participating providers and suppliers to report and
refund known overpayments within 60 days from the date the overpayment is
“identified” or within 60 days of the date when any corresponding cost report
is due. Failure to follow the 60-Day Rule can result in False Claims Act or
civil monetary penalty liability. The final regulations, when released, should
provide additional guidance and clarity as to what it means to “identify” an
overpayment.22 However, as an example, a Board would be well served by
asking management about its efforts to develop policies for identifying and
returning overpayments. Such an inquiry would inform the Board about how
proactive the organization’s compliance program may be in correcting and
remediating compliance issues.
21 42 U.S.C. § 1320a-7k.
22 Medicare Program; Reporting and Returning of Overpayments, 77 Fed. Reg. 9179, 9182 (Feb. 16, 2012) (Under the proposed regulations interpreting this statutory requirement, an overpayment is “identified” when a person “has actual knowledge of the existence of the overpayment or acts in reckless disregard or deliberate ignorance of the overpayment.”) disregard or deliberate ignorance of the overpayment.”); Medicare Program; Reporting and Returning of Overpayments; Extensions of Timeline for Publication of the Final Rule, 80 Fed. Reg. 8247 (Feb. 17, 2015).
15
Organizations that discover a violation of law often engage in an internal
analysis of the benefits and costs of disclosing—and risks of failing to disclose—
such violation to OIG and/or another governmental agency. Organizations
that are proactive in self-disclosing issues under OIG’s Self-Disclosure Protocol
realize certain benefits, such as (1) faster resolution of the case—the average
OIG self-disclosure is resolved in less than one year; (2) lower payment—OIG
settles most self-disclosure cases for 1.5 times damages rather than for double
or treble damages and penalties available under the False Claims Act; and
(3) exclusion release as part of settlement with no CIA or other compliance
obligations.23 OIG believes that providers have legal and ethical obligations to
disclose known violations of law occurring within their organizations.24 Boards
should ask management how it handles the identification of probable violations
of law, including voluntary self-disclosure of such issues to the Government.
As an extension of their oversight of reporting mechanisms and
structures, Boards would also be well served by evaluating whether compliance
systems and processes encourage effective communication across the
organizations and whether employees feel confident that raising compliance
concerns, questions, or complaints will result in meaningful inquiry without
retaliation or retribution. Further, the Board should request and receive
sufficient information to evaluate the appropriateness of management’s
responses to identified violations of the organization’s policies or Federal or
State laws.
Conclusion
A health care governing Board should make efforts to increase its
knowledge of relevant and emerging regulatory risks, the role and functioning
of the organization’s compliance program in the face of those risks, and
the flow and elevation of reporting of potential issues and problems to
23 See OIG, Self-Disclosure Information,
http://oig.hhs.gov/compliance/self-disclosure-info.
24 See id., at 2 (“we believe that using the [Self-Disclosure Protocol] may mitigate potential exposure under section 1128J(d) of the Act, 42 U.S.C. 1320a-7k(d).”)
16
senior management. A Board should also encourage a level of compliance
accountability across the organization. A Board may find that not every
measure addressed in this document is appropriate for its organization, but
every Board is responsible for ensuring that its organization complies with
relevant Federal, State, and local laws. The recommendations presented in this
document are intended to assist Boards with the performance of those activities
that are key to their compliance program oversight responsibilities. Ultimately,
compliance efforts are necessary to protect patients and public funds, but the
form and manner of such efforts will always be dependent on the organization’s
individual situation.
BibliographyElisabeth Belmont, et al., “Quality in Action: Paradigm for a Hospital Board-Driven Quality Program,” 4 Journal of Health & Life Sciences Law. 95, 113 (Feb. 2011).
Larry Gage, Transformational Governance: Best Practices for Public and Nonprofit Hospitals and Health Systems, Center for Healthcare Governance (2012).
Tracy E. Miller and Valerie L. Gutmann, “Changing Expectations for Board Oversight of Healthcare Quality: The Emerging Paradigm,” 2 Journal of Health & Life Sciences Law (July 2009).
Tracy E. Miller, Board Fiduciary Duty to Oversee Quality: New Challenges, Rising Expectations, 3 NYSBA Health L.J. (Summer/Fall 2012).
Lawrence Prybil, et al., Governance in Nonprofit Community Health Systems: An Initial Report on CEO Perspectives, Grant Thornton LLP (Feb. 2008).
Corporate Compliance/Privacy and Audit Committee
Goals FY 2015
Purpose
The purpose of the Corporate Compliance/Privacy and Audit Committee (“Compliance and Audit Committee”) is to advise and assist the El Camino Hospital (ECH) Hospital Board of Directors (“Board”) in its exercise of oversight by monitoring the compliance policies, controls and processes of the organization and the engagement, independence and performance of the internal auditor and external auditor. The Compliance and Audit Committee assists the Board in oversight of any regulatory audit and in assuring the organizational integrity of ECH in a manner consistent with its mission and purpose.
Staff: Diane Wigglesworth, Director of Corporate Compliance
The Director, Corporate Compliance/Privacy and Audit Committee shall serve as the primary staff support to the Committee and is responsible for drafting the Committee meeting
agenda for the Committee Chairs consideration. Additional members of the executive team or outside consultants may participate in the Committee meetings upon the
recommendation of the Director, Corporate Compliance/Privacy and Internal Audit Committee and at the discretion of the Committee Chair.
Goals Timeline by Fiscal Year
(Timeframe applies to when the Board approves the recommended action from the Committee, if applicable.)
Metrics of Success Achieved
Review and evaluate Hospitals proposed FY 2015 Internal Audit Work Plan based on the current risk assessment.
Q1 2015 - Completed
Committee Reviews FY 2015 Internal Audit Work Plan Developed by Staff in August and provides report to the Board – Board Approved 9/2014.
Participate in staff developed education session regarding Government Audit Programs. (i.e. MIC, MAC, ZPIC and RAC)
Q2 2015 - Completed Committee to receive education by 12/31/14.
Completed at November 13, 2014 meeting
Review Enterprise-Wide Risk Assessment and action plan for identified risks and validate the top four risks under each domain.
Q3 – Q4 2015 - Completed Committee Reviews ERM Risk Assessment and approves Hospital’s action plan for identified risks and recommends plan to the Board for approval in March 2015 (possible delay for Hospital Board review until May or June 2015)
Review and evaluate Hospital’s risk mitigation plan for Research Compliance.
Q4 2015 - Completed Committee presents risk mitigation plan to the Board by June 2015.
Submitted by: John Zoglin, Chair, Corporate Compliance/Privacy and Compliance Committee Diane Wigglesworth, Executive Sponsor, Corporate Compliance/Privacy and Compliance Committee
Corporate Compliance
Date: March 11, 2015
To: Corporate Compliance/Privacy and Audit Committee
From: Diane Wigglesworth, Director Corporate Compliance
Re: Proposed FY 2016 Committee Meeting Dates
Proposing the following meeting dates for the next fiscal year:
August 20, 2015
September 24, 2015
November 19, 2015
January 21, 2016
March 17, 2016
May 19, 2016
.